Technical Analysis of the NSO Group's Pegasus Spyware

• Published in: 2021 International Conference on Computational Science and Computational Intelligence (CSCI) pp. 747 - 752
• Main Authors: Rudie, JD, Katz, Zach, Kuhbander, Sam, Bhunia, Suman
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.12.2021
• Subjects: Android; Codes; Government; iOS; networking; Pegasus; Phishing; privacy; Scientific computing; Software; spyware; Surveillance; Training
• DOI: 10.1109/CSCI54926.2021.00188

This paper presents an analysis of the methodology used by the NSO group to exploit a sequence of zero-day vulnerabilities in Apple's iOS and WebKit, with detailed explanations of how each vulnerability was used in sequence to compromise the target machine, eventually delivering a rootkit. This exploit chain was effectively utilized to compromise the devices of over 50,000 journalists, academics, politicians, religious figures, and other important individuals to extort, control, and monitor them. We discuss the history of the NSO group, which packaged and sold this software, along with specialized rootkits, to totalitarian governments for dissident surveillance. We identify the common patterns and techniques used to carry out the Pegasus attack within existing literature from both academia and the cybersecurity industry. We explore potential defensive methods that vendors could use, such as static code analysis and detailed manual code review covering and features that utilize memory management. We provide additional defensive methods for stakeholders in governments, businesses, and/or non-profits that may be affected by similar attacks, including well-developed anti-phishing training programs for all employees and mail filtering.