On October 1, U of T’s Citizen Lab published a report titled “The Kingdom Came to Canada.” It details how McGill University student and Saudi human rights activist Omar Abdulaziz was cyberstalked by Saudi Arabian-linked agents.
The next day, journalist Jamal Khashoggi, Abdulaziz’s mentor, walked into the Saudi consulate in Istanbul and never walked out. Two months later, Citizen Lab scientists were targeted by undercover agents seeking information on their personal lives and current research. It reads like a Hollywood political thriller — only here, everyone involved is unfortunately real.
The software Pegasus is at the heart of the conspiracy. The spyware suite is produced and marketed by Israeli cyberarms firm NSO Group Technologies. It first came under media scrutiny in 2016, following the use of the software against Emirati activist Ahmed Mansoor.
Pegasus is capable of collecting private data — from phone logs to text messages — stored on a targeted cell phone. It can also actively trigger input devices, like a phone’s camera or microphone, which allows the recording of any activity in range of the device. All of this can be performed without the knowledge of the victim.
This is made possible by exploiting “zero-day” vulnerabilities in the device software. These are vulnerabilities previously unknown to the device vendors.
In their original 2016 report on the NSO Group’s spyware, Citizen Lab observed Pegasus gain access to an iPhone 5 through a disguised JavaScript download.
The downloaded data then employs a memory corruption vulnerability in WebKit, the framework Apple’s Safari browser is built on, to execute its function within Safari.
This code then accessed the iPhone’s kernel — the core of iOS — through another memory corruption vulnerability. In an uncontrolled scenario, this would allow unauthorized programs to run without the user’s knowledge.
In contrast to the sophistication of its software, Pegasus’ method of initial phone infection is identical to common “phishing” schemes. Exploit links — which masquerade as benign hyperlinks — are texted to the target which, upon being opened, prompt the JavaScript download.
This deception can take many forms; the Pegasus operator who targeted Abdulaziz, for example, impersonated news organizations by employing domain names like kingdom-news.com or arabworld.biz.
As documented in a September 2018 report “Hide and Seek,” Citizen Lab was able to trace a Pegasus operator by activating a known Pegasus link and observing the ensuing behaviour of the link and linked server.
By searching for similar patterns of hyperlink behaviour, the researchers identified 1,091 IP addresses and 1,014 domain names associated with Pegasus. Then, by using a categorizing technique known as Athena, they were then able to identify the IP addresses of 36 Pegasus operators.
Citizen Lab was able to trace the Pegasus operators to 45 countries by locating domain names of Pegasus servers using the infected devices. Different internet service providers (ISPs) in different locations use different domain name systems, which were matched up to the domain names the infected devices searched for.
These operators were then assigned names based on their activity of interest. For example, Abdulaziz’s cyberstalker was named “KINGDOM” due to its Saudi-centred activity.
“Based on the methodology outlined in Hide and Seek, we could observe infections ‘checking in’ at the [ISP] level, but nothing more in terms of granular detail,” explained Dr. Ronald Deibert, Director of Citizen Lab and a Professor in the Department of Political Science, in an email to The Varsity. This lack of detail means that there is insufficient evidence to concretely tie KINGDOM to a specific individual or the Saudi government.
Regarding reports of possible misuses of Pegasus, NSO Group said, “Contrary to statements made by [Citizen Lab], our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror.”
In response, Citizen Lab clarified that it has not levelled any accusation against NSO Group’s intentions, but that research “continues to demonstrate some highly concerning real-world examples of the abuse of NSO Group technology in practice.”
To journalists, activists, and other individuals at risk of running afoul of a Pegasus operator, Deibert recommends using Citizen Lab’s Security Planner, as well as reading the Electronic Frontier Foundation’s Surveillance Self-Defense Guide. “This type of targeted espionage against civil society is a growing crisis of democracy,” said Deibert.
“The market for commercial spyware is largely unregulated, and prone to abuse.” Deibert emphasized that this is a new age of digital insecurity, based on the fact that our portable devices are always on, which offers an easy point of intrusion to any individual’s private life.