What precautions can one take?
Theoretically, astute cyber hygiene can safeguard against ESEM baits. But when Pegasus exploits a vulnerability in one’s phone’s operating system, there is nothing one can do to stop a network injection. Worse, one will not even be aware of it unless the device is scanned at a digital security lab.
Switching to an archaic handset that allows only basic calls and messages will certainly limit data exposure, but may not significantly cut down infection risk. Also, any alternative devices used for emails and apps will remain vulnerable unless one forgoes using those essential services altogether.
Therefore, the best one can do is to stay up to date with every operating system update and security patch released by device manufacturers, and hope that zero-day attacks become rarer. And if one has the budget, changing handsets periodically is perhaps the most effective, if expensive, remedy.
In its October 2019 report, Amnesty International first documented use of ‘network injections’ which enabled attackers to install the spyware “without requiring any interaction by the target”. Pegasus can achieve such zero-click installations in various ways. One over-the-air (OTA) option is to send a push message covertly that makes the target device load the spyware, with the target unaware of the installation over which she anyway has no control.
This, a Pegasus brochure brags, is “NSO uniqueness, which significantly differentiates the Pegasus solution” from any other spyware available in the market.
Does the spyware always get into any device it targets?
Usually, an attacker needs to feed the Pegasus system just the target phone number for a network injection. “The rest is done automatically by the system,” says a Pegasus brochure, and the spyware is installed in most cases.
In some cases, though, network injections may not work. For example, remote installation fails when the target device is not supported by the NSO system, or its operating system is upgraded with new security protections.
Apparently, one way to dodge Pegasus is to change one’s default phone browser. According to a Pegasus brochure, “installation from browsers other than the device default (and also chrome for android based devices) is not supported by the system”.
In all such cases, installation will be aborted and the browser of the target device will display a pre-determined innocuous webpage so that the target does not have an inkling of the failed attempt. Next, an attacker is likely to fall back on ESEM click baits. All else failing, says the brochure, Pegasus can be “manually injected and installed in less than five minutes” if an attacker gets physical access to the target device.