Pegasus spyware from the Israeli firm NSO Group is nearly invisible. It sends messages to compromise targeted phones without setting off any alarm bells to the phone’s user. There’s little you can do to protect yourself, say experts.
But little isn’t nothing.
Our guest today is Adam Weinberg, white hat mobile hacker and CTO of FirstPoint Mobile Guard. He joined us on the Threatpost podcast to discuss the news about the use of Pegasus – the notorious, military-grade spyware sold by the Israeli company NSO Group that’s been linked to cyberattacks and murders of journalists and NGOs – to surveil citizens.
As tracked in an investigation conducted by The Washington Post and 16 media partners, a data leak led the consortium to a list of more than 50,000 phone numbers of activists, journalists, business executives and politicians — possible iPhone and Android targets of the Pegasus malware.
The leaked data from the NSO Group is hinting at widespread Pegasus infections.
Early forensics of phones – representing just a tiny sliver of the handsets tied to the 50,000 phone numbers – reveal that traces of Pegasus have been found in 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi.
At least if you live in Israel, where FirstPoint has collaborated with wireless carriers, you have an option to protect your phone from spyware. As far as the rest of us go, there might be some protection in getting a new SIM card, along with service provided by a mobile virtual network operator (MVNO): a reseller for wireless communications services.
In this podcast, Weinberg explains how spyware attacks happen and how protection works. His advice can hopefully help journalists, activists, nongovernment organizations (NGOs) and companies as they seek to protect themselves from the governments and other cyberattackers that are targeting them with Pegasus-like spyware.
Download the podcast here, listen to the episode below, or scroll down to read a lightly edited transcript.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
072121 11:36 UPDATE: Corrected Adam Weinberg’s title. He is CTO.
What follows is a lightly edited transcript of the podcast.
Lisa Vaas: Hi. Welcome to the Threatpost podcast. I’m Lisa Vaas. And I’m your host today? Our guest is Adam Weinberg, white hat, mobile hacker, and CEO of first point mobile guard. He is here to chat with us. The shocking news today about Pegasus software and the NS group, and how many phones were affected specifically, Adam is here to tell us how we can protect ourselves from spyware, Adam.
Welcome. It’s a pleasure to have you. It’s an honor to have. Thank you. Thank you. So you said that as I understand it, you can explain how media organizations and companies can protect themselves from Pegasus and similar technology. Because as we all know, it’s certainly not the only or spyware out there that can do tremendous damage and leave quite a lot.
Victims in its wake, particularly media organizations, human rights, activists and companies. So what are your thoughts on the news today, Adam?
Adam Weinberg: Okay. So as we, or most of us know where cellular devices, eh very vulnerable to 2, 2, 2 different types of attacks. Actually, we pay for the sake of convenience that we that we all of us want to have, you know, being connected all the time and being able to to be found and to be to be available to anybody anywhere we pay for this convenience.
With the price of being actually vulnerable to a different type of attacks. So we genuinely a. Eh, you CA you can, eh, generally fell two desktops, two to three types of attacks, which are accomplished by you know, organizations, some of them with, eh, some legal capabilities provided by the relevant government anywhere, some of them. Illegal body for individuals and thought, but usually take care of, take advantage of in model of the vulnerabilities that are available in the cell network.
And usually there are three types of vulnerabilities. The first one is, eh, You’ll seeing the fact that the seller long network is built in such a way that and a mess. Do you want to comment something? Oh no, no, no. I’m sorry. Sorry. Ignore me. Okay. So the first vulnerability is based on the fact that the cell around network and the connectivity between cell networks around the world is built in such a way that whenever there is some, some sort of message call or any other message to be others to you.
The connectivity in the network is such that you can be from, which means that. Yeah. Also, I take care of that knows how this information is forwarded in the exchange between the fellow networks can use the defect to perform a lot of damages. First of all, what we call location, tracking anybody. We, with the height knowledge in the high-tech to the silver.
Global seller network. It could, it could activity between networks can quite easily find the find out about your location. And sometimes this is very you know, very important and relevant and, and knowing and intuition in your privacy. And. But then some valuable, very valuable information to the taker.
Lisa Vaas: Well, forgive me for interrupting Adam, but it, it can also be deadly as we’ve seen in the murder of, of journalists, w the one in Mexico who was gunned down outside of a carwash.
Adam Weinberg: I will prefer not to fail to abuses of these possibilities and so on, but the possibility is the possibility there. And by manipulating the connectivity between the settlement networks, eh take care of can do a lot of damage. In addition to to, to take a given location, they can listen in to your, to the content of your communication as well.
And they also add the images. So this is the first type of Vulnerability that is utilized by a attackers to utilizing the fact that the, the intrinsic need or necessity for a cell around it networks to exchange information in order to provide you with the service that you expect to eventually want to be found by someone that One to send some information to you.
So this is the first type of attack. Second, second type of attack. If utilizing the fact that once you are using a mobile device you’re connected over there. Our our channel to the nearest base station and the settler network is built in such a way that your phone is looking for the. Best sail around to be connected to an attacker.
So using this effect to with with a device which pretends to be a genuine best station in the network, when actually it’s not genuine, it’s a fake best station utilized by, by the care for the purpose of convincing you have divided the field, the device with the genuine, eh best session your device has no way to usually has no way to differentiate between fake methylation and the real one, because all the information that is presented over the LF channel.
But the fact that session seems to be Noma there. Then when the device. The target device is connected to the fake best dish and operated by the target. You know, there are many type of take the, can be implemented, like, eh, listening in on your communication, delivering malware to your device and the, and much more. So [00:07:00] this is a, the second type of, eh, of the texts utilized by taken of for, for implementing a tech fellow, the vices and the third type of a tech, if, if more commonly known as cyber techs utilizing the fact that eventually your cellular device.
Connected to the, over the set alarm network, but eventually it is connected to the open internet and the like any device connected to the open internet. It’s a volume. The. Different types of attacks like malware, malicious side, and the routing of your communications were so malicious gateways and so on.
So in this respect, Your phone is like lepto one. It is the exposed to the open internet. It’s a window to a different type of fintechs. So those are, those are generally the suite type of attacks, which we mentioned are utilized by let’s say values organization. Some of them, you know, with legal authority, some of them without legal authority, but the, the, the possibilities up there and the device, the cellular devices are exposed to, to, to, to Two, a attackers, which are capable of implementing a lot of damages and extort a lot of significant information from the settler devices.
Now we are. We, we mentioned also the possibility of protecting against such attacks. So this is the wartime in involved in the recent years. I have. In, in my Bitcoin, I was implementing, you know some, let me call it intelligence gathering solutions for certain, the organizations and also commercial intelligence gathering solutions for, for some companies that I’ve worked for.
And some. Five six ago, years ago together with partner of mine, we have decided to move on, to go to the other side of the street. Let me say, and use the experience that we have gathered in the implementing, eh taking solution into providing, eh, eh, protection solution, which you know, Very unique and, and can provide the complaints of protection against all the types of threats.
To settle our devices, as I mentioned. So it’s from the no, for me an activity from the signaling and connectivity between within the Celeron networks and between I think from fake best stations and implemented over the open internet connectivity. And this is we’ve been, this is what we’ve been doing in the last year.
Lisa Vaas: Oh, well, let’s take a little bit, a little bit of a closer look at one of those types of attacks, which would be the stingray scenario that you described where the cell towers are. I mean, how in the world would you convince a phone’s technology? Not. To be able to differentiate between a stingray attack and real cell cell tower signaling.
Adam Weinberg: Okay. So let me just describe generally, without going into too much technical details, our solution is implemented, with two major components. One component is integrated with the core network of the mobile network operator with virtually part of the integrated within the coordinator called the mobile network pivotal.
The other part is implemented as a small piece of source software, which we’ll call the in-app plate, which is implemented on the same card of the protected device. And the we have a photo of protected. Keep a live link between the power that is on the same and the power that you’ve on the. Home network and by comparing various parameters about the connectivity to the network, we can we can detect possibilities.
Eh, we can raise the suspect that the conductivity is being made. Eh, eh, eh, we’re fake business. Also the, the possibility that the, by using distinct varied, the device is completely disconnected from the rail network. So the part that on the scene, the tech the situation, because the link to the home network, if disconnected now applies, and once we detect the situation, We start the process of challenging the the network from the SIM point of view and by this, eh, The challenge is met in such a way that only if it’s a tall cell, eh, we get the expected apply.
And if not, we we decide that if, if the, the, the connectivity to the network effect factor, [00:13:00] this is really interesting. So this has done in coordination with the wireless carrier. Did you say? Yeah. The part that, yeah, the part that is integrated with the home network is of course being implemented with support and coordination of of the mobile carrier.
Lisa Vaas: Well, not that raises some interesting aspects of the the report. About how US phones. IPhones are protected. And we were wondering like, what makes us iPhones? So protected, is it is it because the wireless carriers in the us are working with solutions like yours to protect them?
And they’re not in other countries. I mean, how, when you say you’re working with the wireless carriers in what countries are you, do you have that kind of cooperation in.
Adam Weinberg: Well, the only a country that we can disclose so far is this. We are walking with in cooperation with the largest carrier in England, working in other countries as well.
We still do not have any working solution with with the U S with scale. Mm. Yeah. Why not? Like what is it very difficult to iron these things out with the carriers? I mean, you know, young company, we are working on this, it’s still implemented. Fair enough. So does your solution work with Androids and iPhones?
I mean, I know the question I had about the report was. One of the major benefits of the. Solution of the ports that we have tooken in the, as I mentioned, if the tower solution is actually not implemented on the device itself, we just implemented on the seam in the device. And from the point of view of the scene, it doesn’t matter.
What is the AR device that’s better? What is the operating system of the device, whether it’s Android or iPhone, it doesn’t matter what a, you know, what version of the operating 50 with the some recent tab that was downloaded, the ethanol doesn’t matter, but also if it says some device connected to. Over the film over the cellular round network is out any operating system, like a small controller, like let’s say power meter or any, any device that is connected to the cellular network.
And they’re the same inside, or is. Can be protected with, by our solution. This is was our basic support. One of the unique, a unique things about the solution, right.
Lisa Vaas: But I’m still curious how journalists and activists and businesses can protect themselves. If they’re not in Israel, do you have advice for them?
Adam Weinberg: Yeah. Working in cooperation also with. So called the global MBA knows the carrier, which can provide you could activity globally. And let’s say one other 16 countries around the globe. And since we are already integrated with them by providing. You with the same of this global or no, we can, you can get protected connectivity everywhere in the globe, including in the us.
Lisa Vaas: And you, I’m sorry, you said a global NGO, Nongovernment organization?
Adam Weinberg: MVNO, mobile virtual network operator.
Lisa Vaas: Thank you so much. I didn’t didn’t hear that. Okay. So, so there’s still protection out there. Even if you’re not in Israel, that’s good to know. So what do people do to get that protection?
What exactly are the steps that they have to do? Get a new SIM card. Is it as simple as that?
Adam Weinberg: Just to just get a new SIM card and you are protected.
Lisa Vaas: That’s reassuring.
I would hope to a lot of people who might be targeted well, well, awesome. Is there anything else, any other advice you’d like to share with people who are probably a bit unnerved by the power of this spyware?
Adam Weinberg: Just, you know, just the usual advice regarding cyber security, be careful be aware of, of messages to us safe, do not connect to any link that you are. Get from unknown people.
Lisa Vaas: Well, that’s a advice. We give them all the time and then you get something like this and it’s like, it’s done without [00:18:00] messages.
It is sent by the messages that doesn’t give off any alerts. And it’s like, oh, but you’re right. Of course the standard advice is going to apply to many situations. I’m sure. Unless you have anything else you’d like to add, Adam, I’m going to let you go. Thank you so much for coming on the threat post today, Adam, this is such an important story and I’m glad somebody figured out how to protect some people from these horrible attacks.
Adam Weinberg: Thank you. Thank you, Lisa. Be well, thank you so much. Bye-bye.