Let us start with fundamentals: ALL software has flaws (referred to as “bugs”). This could be for a variety of reasons but the very fact that developing complex software is, well a complex task, it is natural that bugs are introduced without the knowledge of designers.
These bugs are important because many of them are used by attackers to gain access to or even take control of the software. The more bugs that someone knows about, oftentimes, it is easier to “hack” that piece of software.
So, your phone’s base operating system (iOS, Android) can (and likely has) bugs but so do the various apps that you run: WhatsApp, Twitter, iMessage, Games, TikTok, etc.
Security researchers and hackers spend a lot of time and effort to uncover these bugs. One with the intention of reporting/fixing them, while the other with the intent of using them to “hack” your phones.
In fact, there is a serious underground market for previously unknown vulnerabilities, called “zero day vulnerabilities”. They’re named thus since no one has seen them before and, more importantly, they haven’t been used in an attack before.
Some bugs are harder to find than others. iOS/Android bugs are probably harder to find because Apple/Google do a pretty good job of testing their software and try to eliminate these vulnerabilities, either ahead of time or as soon they find them (not always true).
As a result, some of these harder/lesser known vulnerabilities can fetch hundreds of thousands of dollars (even millions!) in underground markets!
The “buyers” in these transactions can be criminals but they can also be government agencies (think NSA, Mossad, RAW) or even “security” firms, say the NSO Group (creators of Pegasus).
How is access gained to phones
So, how do attackers gain access to your phone? What do these bugs help them achieve? There are many “entry vectors”, i.e. methods to gain access to a device (or multiple devices)? I'll list THREE common methods here.
ONE. The simplest way is to just install software. Let’s say they gain access to (steal!) your phone for a few minutes and install the software and return it to you. But there are more sophisticated ways emerging.
TWO. Another way is to send a message with a link. Say, a text or WhatsApp message (or email) that has a link. When you click on that link, some code runs on your phone that takes advantage of these zero-day vulnerabilities and allows the attacker access to your device.
Once they’re in your phone and depending on the access (control an app like WhatsApp or iOS/Android system itself), they can do lots: read/copy your messages; turn on your mic/camera and record at will; corrupt/erase your data; steal bank passwords You name it!
Example, they send you a WhatsApp message with a link -you click the link -they take control of your WhatsApp and, say, remotely download all your chats. They may even send messages from your phone without your knowledge and this leads to the next part.
To increase their chances, attackers could make the link look legitimate (it is from Twitter) or send a message from one of your trusted family/friends. This is called “social engineering”, specifically “spear phishing”.
There was a recent scam on twitter where a “verified’ account pretended to be twitter support and sent messages to people and got them to click a link from where they hijacked phones.
Now a really astute user may say, “ha! I will refuse to click on any link so I cannot be hacked”. While this does protect you a bit, it is not a perfect solution.
Enter “zero click attacks” [THREE]
Remember those bugs I mentioned? Sometimes they can be “exploited” even without the victim knowing of it. Zero click attacks bypass the need for user interactions (e.g. clicking a link).
One example: they just send you a text message. The moment it is delivered to your phone, the attack begins! The message could include some special text (that looks like gibberish) or an image that triggers one or more bugs in the app/phone!
Once such a bug is triggered, the attackers can get full or partial control of your phone! And you may not even have realised this happened! They can even delete the messages once they take control, leaving no traces behind!
From all the reports I’m reading, the Pegasus attacks used a combination of these methods over the last 5-6 years. They started with installing software on select phones, then spear phishing 2-3 years ago and, more recently, the zero-click attacks.
Zero click attacks are even starting to target other parts of your phone, e.g. Apple Music!
Possible Protection Options
Some things you can do to protect yourself: don’t open unknown links, be suspicious of messages/calls from unknown numbers (yes calls can be used too!) and *most importantly*: keep your phone+apps up to date! This is your best chance of remaining safe.
At the end of the day, if a major player (a nation state, a large corporation, etc.) wants to hack your phone, then there is little one can do to prevent it. Even Jeff Bezos’s phone was hacked using similar methods and possibly using Pegasus!
I guess the alternative is to shrug our shoulders and try our best. If they hack us, they hack us I suppose. In any case, I hope this helps. Awareness will increase the pressure on companies to keep their software up to date (more secure!).
Credit: Twitter thread by https://twitter.com/sibinmohan
Sibin Mohan is a Research Assistant Professor in the Dept. of Computer Science and the Information Trust Institute at the University of Illinois at Urbana-Champaign. He has pioneered research to improve the resiliency and security of real-time and cyber-physical systems.