Last year, an international group of journalists came to the limelight with extensive and thorough details of new evidence against Pegasus spyware, which was developed by cyber-arms company NSO Group.
This notorious spyware has been used against journalists, activists, business executives, judges, lawyers, and even politicians around the globe.
It has infiltrated organizations with even the tightest cybersecurity practices. This has compelled some hacking experts to turn to security nihilism — the belief that if the most secure systems are vulnerable, nothing can be done to defend them.
However, that type of thinking is a mistake. While there is no such thing as “perfect security,” that is not an excuse for passivity.
This article will tell you how to defend against Pegasus spyware. We’ll look at practical steps to reduce your vulnerability and bolster your security practices and protocols, so you won’t be an easy target for this spyware.
How Dangerous Is Pegasus?
Pegasus grants the handler unrestricted access to the target’s mobile devices. This allows them to remotely and secretly acquire information about the target’s whereabouts, plans, relationships, phone conversations, and activities.
Here are some of the things it can do:
- Monitor VoIP and voice calls in real time
- Siphon passwords, files, contacts, and even encrypted content from a mobile phone
- Screen all the communication through applications like Facebook, WhatsApp, Viber, and Skype
- Track the location of the phone through GPS
- It may also be able to spy on you by listening through your mobile’s microphone
However, despite all its publicity and hype, Pegasus is just a glorified version of a remote access trojan, a type of malware that has been around for a long time. This means that while the Pegasus may be dangerous, it can be defended against, just as the security community has tackled other security threats.
How to Defend Against Pegasus Spyware
Let’s delve into different methods Pegasus uses to infiltrate and infect phones, its various agent installation vectors, and most importantly how to defend against them.
1. Avoid Social Engineering Clickbait
In many cases of Pegasus infection, journalists or human rights campaigners receive SMS and WhatsApp bait messages urging them to open dangerous links. The likelihood of the target clicking the link is affected by the content’s seeming credibility, as well as the target’s tolerance for risk.
Here are ways you can avoid falling for bait messages:
- Avoid messages that convey a sense of urgency, particularly regarding a package that’s about to arrive or charges on your credit card.
- If you aren’t sure the link can be trusted, type in the web address manually rather than clicking on the link in the message you received.
- Save websites that you frequently visit in a bookmark folder and access them only from the link that you saved.
- Use a URL expander to disclose the actual complete URL long link before clicking on it.
- If a suspicious link appears to have been sent by a friend or family member, always confirm either through a call or other communication method that the link truly is from them and not a hacker.
- Practice device compartmentalization if possible. This is where you use a secondary device without any personally identifiable or sensitive information on it to open untrusted links.
- Use a new browser rather than the default. Fortunately, Pegasus installation fails if the target is using an “unsupported” browser.
2. Prevent Network Injection Attacks
In numerous situations, Pegasus has infected devices via network injection attacks. It did so by capturing a phone’s network traffic using a man-in-the-middle (MITM) attack in which the spyware intercepted unencrypted network traffic, such as HTTP web requests, and redirected it toward harmful payloads.
When typing the website domain (such as yahoo.fr) into a browser address bar without providing a protocol (such as https://), the browser will try an unencrypted HTTP connection to the site. This opens the door to MITM attacks.
Here is how you defend against them:
- Make it a habit to always type (https://) when going to different websites.
- Bookmark secure (https) URLs and use them for efficient access.
- Consider a trusted virtual private network (VPN) both for your mobile and desktop. The VPN will sabotage the MITM, as your connection is encrypted to the VPN even if you type a domain name directly without typing https.
3. Evade Zero Click Attacks
While most infection efforts need the target to take some action, zero-click exploits do not require the target to take any action. All that is required of the targeted user is the installation of a specific unsecure application or operating system.
According to a forensic study released by Amnesty International, Pegasus has gained access to some devices using zero-click attacks through the Apple Music and iMessage applications.
So here is what you can do to protect yourself from zero-click attacks:
- Have the bare minimum of applications on your device. Install only apps that you really need.
- For apps like iMessage that you cannot or do not want to remove, you can manually enable and disable them.
- Frequently audit your installed applications and pay special attention to their level of permissions. For most apps, you can select the level of access they have to the contents of your phone. Remove any apps you no longer need.
- Update your operating system as well as your apps to close vulnerability gaps.
- Classify or compartmentalize your remaining apps so that even if your device is compromised, the hacker will not be able to access all of your data.
Pegasus is a sophisticated malware, but there are effective steps you can take to reduce the chances of your device becoming infected. While there is no guaranteed method to completely eliminate the possibility of a cyber attack, with the right approach to defending against Pegasus spyware, you can increase your security and decrease your risk.