{"id":44839,"date":"2022-01-13T20:35:47","date_gmt":"2022-01-13T20:35:47","guid":{"rendered":"https:\/\/www.darkreading.com\/dr-tech\/how-to-protect-your-phone-from-pegasus-and-other-apts"},"modified":"2022-01-13T20:35:47","modified_gmt":"2022-01-13T20:35:47","slug":"how-to-protect-your-phone-from-pegasus-and-other-apts","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/how-to-protect-your-phone-from-pegasus-and-other-apts\/","title":{"rendered":"How to Protect Your Phone from Pegasus and Other APTs"},"content":{"rendered":"

Amnesty International reports that Pegasus, the “legal surveillance software” from Israeli company NSO Group which has been used to surveil human rights activists, journalists, and lawyers around the world, has been found on 37 devices belonging to 35 journalists in El Salvador<\/a> as late as last November.<\/p>\n

Over the past few months, I received a lot of questions from concerned users worldwide about how to protect their mobile devices from Pegasus<\/a> and other similar tools and malware. First, let me warn you that no list of defense techniques can ever be exhaustive. Additionally, as attackers change their modus operandi, defense techniques need to adapt. <\/p>\n

We should start by saying that Pegasus is a toolkit sold to nation-states at relatively high prices. The cost of a full deployment may easily reach millions of dollars. Similarly, other advanced persistent threat (APT) mobile malware may be deployed through zero-click zero-day exploits. These are also extremely expensive \u2014 as an example, Zerodium, an exploit brokerage firm, pays up to $2.5 million USD for an Android zero-click infection chain with persistence.<\/p>\n

From the start, we come to an important conclusion \u2014 nation-state sponsored cyberespionage is a vastly resource-intensive endeavor. When a threat actor can afford to spend millions, tens of millions, or even hundreds of millions of dollars on their offensive programs, it is very unlikely that a target will be able to avoid getting infected. To put it bluntly: It\u2019s not a question of whether you get infected, it\u2019s just a matter of time and resources before you get infected.<\/p>\n

Now for the good news \u2014 exploit development and offensive cyberwarfare are often more of an art than an exact science. Exploits need to be tuned for specific OS versions and hardware, and they can be easily thwarted by new OSes, new mitigation techniques, or even small random events.<\/p>\n

With that in mind, avoiding infection also comes down to making things more expensive and difficult for the attackers. Although we may not always be able to prevent the successful exploitation and infection of our mobile device, we can try to make it as hard as possible for the attackers. How do we do this in practice? Here\u2019s a simple checklist:<\/p>\n

On Apple iOS Devices<\/strong>
Reboot daily.<\/strong> According to research from Amnesty and CitizenLab, the Pegasus infection chain often relies on zero-click zero days with no persistence, so regular reboot helps clean the device. If the device is rebooted daily, the attackers will have to re-infect it over and over again. Over time, this increases the chances of detection; a crash or artifacts could be logged that give away the nature of the stealthy infection. This is not just theory, it\u2019s practice \u2014 we analyzed a case in which a mobile device was targeted through a zero-click exploit (likely FORCEDENTRY). The device owner rebooted their device regularly and did so in the 24 hours following the attack. The attackers tried to target them a few more times but eventually gave up after getting kicked a few times through reboots.<\/p>\n

Disable iMessage<\/strong>. iMessage is built into iOS and is enabled by default, making it an attractive exploitation vector. Because it\u2019s enabled by default, it is a top delivery mechanism for zero-click chains. For many years, iMessage exploits were in high demand, with top payouts at exploit brokerage companies. “During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we’ve recently started refusing some (of) them,” Zerodium’s founder Chaouki Bekrar wrote back in 2019 to Wired<\/a>. We realize this may be very difficult for some (more later), but if Pegasus and other high-end APT mobile malware is in your threat model, this is a tradeoff worth taking.<\/p>\n

Disable Facetime.<\/strong> Same as above.<\/p>\n

Keep the mobile device up to date. <\/strong>Install the latest iOS patches as soon as they come out. Not all attackers can afford zero-click zero days; many of the iOS exploit kits we are seeing target already patched vulnerabilities. Nevertheless, many people run older phones and postpone updates for various reasons. If you want to be ahead of (some) nation-state hackers, update as soon as possible and teach yourself not to need emojis to install the patches<\/a>. <\/p>\n

Don’t ever click on links received via SMS messages<\/strong>. This is simple advice, yet effective. To save the cost of zero-click chains, many hackers rely on one-click exploits. These arrive in the form of a message \u2014 sometimes by SMS, but also via other messengers or even email. If you receive an interesting SMS (or any other message) with a link, open it on a desktop computer, preferably using TOR Browser or a secure non-persistent OS such as Tails.<\/p>\n

Browse the Internet with an alternate browser such as Firefox Focus.<\/strong> Despite the fact that all browsers on iOS pretty much use the same WebKit rendering engine, some exploits do not work well (see LightRighter \/ TwoSailJunk<\/a>) on some alternate browsers.<\/p>\n

\n\"Showing\n<\/picture>
Source: Costin Raiu, Kaspersky GReAT<\/figcaption><\/figure>\n

User agent strings on iOS from Chrome: Mozilla\/5.0 (iPhone; CPU iPhone OS 15_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/96.0.4664.53 Mobile\/15E148 Safari\/604.1<\/em><\/p>\n

User agent strings on iOS from Firefox Focus: Mozilla\/5.0 (iPhone; CPU iPhone OS 15_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) FxiOS\/39 Mobile\/15E148 Version\/15.0<\/em><\/p>\n

Always use a VPN that masks your traffic<\/strong>. Some exploits are delivered through GSM operator MitM attacks, when browsing HTTP sites or by DNS hijack. Using a VPN to mask the traffic makes it difficult for your GSM operator to target you directly over the Internet. It also complicates the targeting process if the attackers have control over your data stream, such as while in roaming. Do note that not all VPNs are the same, and not every VPN is fine to use. Without favoring any specific VPN, here\u2019s a few things to consider when purchasing a VPN subscription:<\/p>\n