Pegasus Episode Should Not Make You Give Up Hope of Communicating Securely

The reality is that while you may not be able stop an attack like this, you can do a lot to mitigate surveillance in general.

Since the revelations about the Pegasus spyware having been used to snoop on more than a hundred Indians, many are justifiably worried.

You may think that if you are doing things that the government or powerful interests may not like, then it may seem like all the more reason to arrive at the decision that because you cannot do anything about the snooping, it is best to stop using your phone or stop communication altogether.

Some may feel equally justified in reaching the conclusion that you should forget about security and go about your business seeing that you cannot protect yourself any way.

It is true that it is very, very hard to protect yourself against a hack like this. Perhaps not with Pegasus, which has probably run aground, but other hacks of this kind will most likely occur again.

But that does not mean you should give up on either communicating, or on communicating securely.

Because the reality is that while you may not be able stop an attack like this, you can do a lot to mitigate surveillance in general. And if you do that, you will also mitigate the consequences, should you suffer a Pegasus style attack.

Also watch: Pegasus Spyware: Who All Were Snooped on and Why?

Let’s start by noting that attacks like Pegasus, by their very nature, are rarely conducted against large numbers of targets.

Some have noted that Pegasus is very expensive, but that is not the fundamental reason.

Pegasus is a targeted individual hack that seeks to break the protections built into computer and phone operating systems. All hacks like this follow the same method. They rely on finding what are known as “zero day vulnerabilities”, namely bugs in a software that even the developer does not know about (hence “zero day”, as in zero days of warning).

This bug is then used to infiltrate the operating system of the phone or computer, and from there to monitor and attack other software. Use of zero days makes Pegasus-style attacks almost impossible to stop in advance.

Indeed, it should be noted that there is nothing wrong with WhatsApp as such, and this hack is not a reason to stop using it. All modern software is so complex that it is likely to contain one or more such bugs.

This hack is not a reason to stop using WhatsApp. Photo: Reuters/Dado Ruvic

But it is very, very hard to find these bugs in any well designed software package. In January, for instance, zero day “marketplace” Zerodium was offering million dollar prices for new zero days in WhatsApp (and one and a half million dollars for zero days to break iPhones).

The problem for someone wanting to snoop, however, is that even after they go to all this effort or expense to obtain a zero day vulnerability, it only remains useful as long as it is a secret. If someone notices that the bug is being exploited, the software developer will fix it (just as WhatsApp did). Then the hacker or intelligence agency has to go back to the drawing board.

Also read: Israeli Spyware: Ask Not What Pegasus Does, But How Powerful Actors Operate in India

Developers and hackers are in a constant arms race of this kind. And often someone does notice. Even highly targeted attacks like the US sponsored Stuxnet worm – aimed at disabling Iran’s nuclear centrifuges – were eventually caught by researchers.

Hence, an attacker will rarely use a zero day vulnerability to en masse attack, say, tens of thousands of people. That would ensure the bug is caught and fixed quickly. Moreover, zero days often have other problems – they may only work in some configurations, and they often require individually targeted effort to exploit (in this case, for instance, the NSO Group had to craft an SMS with a link the target would be inclined to click on, or forge a WhatsApp call to their number, etc.).

As a result, in most cases, even intelligence agencies with lots of money would prefer not to use hacks like this. Instead, they try to sweep up mass data that is easy to get rather than going after individual phones. This was what Edward Snowden exposed in 2013 – the mass collection of metadata (who is calling whom, who is emailing whom) as well as emails, text messages and other data that is not encrypted and is available without any effort at all.

All of this means that even if you are doing work that you think is likely to be under surveillance, chances are that you are not being targeted by a specific zero day hack.

In turn, this means that you are probably not being targeted by surveillance that is impossible to stop. Chances are that you and everyone else are being subjected to wide surveillance that is aiming to sweep up your communications and get easy data about you and everyone you communicate with, and that kind of surveillance can be in fact made much harder with relatively simple measures.

The good news is that the same measures can help you, to an extent, mitigate targeted hacks too. For instance, good quality encryption means that in order to access your communications, simply sweeping up data is not enough.

Even a zero day hack, in order to reach you, has to allow access to the stage at which information is decrypted (this is what Pegasus was able to do, but, as said, that particular zero day has now been fixed). Similarly, keeping software up to date is the single biggest protection you can have against both general surveillance and zero day vulnerabilities.

Also read: India Turns to WhatsApp For Answers, But What Should We Really Be Asking?

Moreover, good security practices can ensure the best protection of all – not having data that you don’t need. Data cannot be stolen from you by a hacker if you don’t have it in the first place.

Simple steps can reduce the data you have, such as the ‘self-destructing messages’ or ‘disappearing messages’ functions in many messaging apps that delete messages automatically after a certain period of time.

How do you take these steps? Read one of the several free guides on the internet. The Electronic Frontier Foundation offers a short guide on “surveillance self-defense” here.

This is an even shorter guide for protecting against surveillance in developing countries like ours.

Citizen Lab offers a Security Planner which offers an easy configuration guide for your phone and your computer.

If you’re one of the people warned that you’ve already been hacked by Pegasus, or you have been in touch with people who have been, these steps are not enough, of course. You should follow the steps recommended by Citizen Lab.

It shouldn’t take more than half a day, followed by some basic protocols, to take measures to protect your communications better. It’s true that none of this can give you absolute protection, but it does make it harder to attack you.

In the ultimate analysis our best protection is a free society in which, when atrocities are committed against one, others can stand up in their defence. If we give up communicating, or we give up security because “nothing works” and just do whatever comes to mind, we give the snoopers exactly what they want – the chance to crush our privacy, our freedom to communicate and our ability to stand up. And they won’t even need to spend a paisa or hack our phones to do it.

Amit Shrivastava is a Delhi-based analyst.