How concerned should you be about Pegasus, the latest iOS spyware?
A few big stories in the news over the weekend disclosed the existence of a piece of spyware called Pegasus, developed by NSO Group, which has hacked a number of phones—including iPhones—belonging to journalists, politicians, activists, and so on. It’s frightening stuff, but should you be concerned?
The short answer: probably not? Tech Crunch’s Zack Whittaker linked to a tool that can help you check if your phone was compromised.
I downloaded and tried out the Mobile Verification Toolkit so you don’t have to and, well, it’s definitely not user friendly. I had to install some command line updates via Homebrew, which took a little bit of trial and error after the instructions proved to not be exactly correct for my system, then had to make a decrypted copy of my iPhone backup, plus had to make sure I’d downloaded the correct definitions file to compare it to.
In the end, it popped up warnings about a couple dozen cases where my web browsing in Safari had been redirected, all of which appeared to be innocuous (things like being redirected from strw.rs to starwars.com), and one warning of a “known malicious file” that appeared to be a Crash Reporter preference file.1
That’s not surprising to me, given that even with the widespread nature of this spyware, since, again, it seems to generally be of concern to those who are high-profile opponents of hostile regimes or companies. The average user is probably not going to be the target of very expensive and resource-intensive attacks like these.
However, it should still be of some concern that spyware now exists which can use previously unknown exploits to compromise a device without requiring users to take any action. That’s a new level of capability that, for obvious reasons, makes it difficult to take steps to protect yourself: you can’t even avoid opening suspicious links, for example.
The exploit was confirmed to work on iOS 14.6; as of this writing, Apple has not yet posted the details of the security updates in iOS 14.7, released yesterday, so it’s unclear whether or not this exploit still works. (One would hope that the timing of stories about it were concurrent with the vulnerability being patched, but it entirely depends on when Apple learned of it.)
Phones remain attractive targets, given the amount of personal data we keep on them, so there’s going to be more and more money and resources poured into finding ways to compromise them. Here’s hoping the companies that make them can keep up.
- From what I can tell, Pegasus can try to disable Apple’s Crash Reporter, which involves writing said file, but given that I didn’t see any other flags, I think this is a case where that file was probably created for separate, legitimate reasons. ↩