On Sunday, an international collaboration between The Washington Post, The Guardian and other media organizations, published a massive report detailing the global usage of a spyware tool called “Pegasus” to infiltrate personal cell phones. The Pegasus tool, which was developed an Israeli cybersecurity organization named NSO Group, was sold to the governments of countries including Hungary, Rwanda and India. The report found those governments used the spyware to surveil many individuals, including the family of slain journalist Jamal Khashoggi.
The information in Sunday’s report, obtained from a leaked list provided by Amnesty International and a Paris-based nonprofit media outlet called Forbidden Stories, contained tens of thousands of phone numbers belonging to journalists, activists and politicians, including French president Emmanuel Macron. The phone numbers are purportedly a collection of people of interest to the governments and clients who purchased the Pegasus tool.
Of 67 phones suspected to be infected and examined by Amnesty International, 37 devices, mostly iPhones, showed evidence of tampering or attempted tampering.
Here’s what to know.
The spyware in question, Pegasus, was developed by Israeli cybersecurity organization NSO Group, which sells its software to various clients, including governments, to track criminal and terrorist activity.
Pegasus can be used to infiltrate smartphones via apps like iMessage and WhatsApp, or by having victims inadvertently click a link containing the vulnerability. Spyware like Pegasus usually takes advantage of both known and unknown flaws in a computer’s operating system that have yet to be fixed. In the past, software from NSO Group has demonstrated the ability to be installed on devices with zero interaction from the victim, as actions like receiving a call from someone attempting to infect a device was enough to successfully penetrate the operating system’s defenses without raising any alarms. Like ransomware, the spyware exists in the smartphone’s memory, making detection difficult.
The access granted by the Pegasus spyware appears to allow hackers to gather copious amounts of data from a smartphone without issue, according to the report. It allows hackers to read text messages and email correspondence, track a user’s location, activate systems like the microphone and camera, gain access to contact data, and more.
While the leaked list provided by Amnesty International and Forbidden Stories contained around 50,000 phone numbers, that doesn’t necessarily mean the Pegasus spyware tool was used to compromise those phones. That being said, the number included various executives, government officials and pro-democracy activists, along with news reporters and journalists from outlets like Reuters, New York Times and The Guardian.
“Apple should block stuff like Pegasus,” says Swati Chaturvedi, an Indian investigative journalist who was potentially surveilled by the NSO software. “I have my doubts, whether it’s something they can’t fix, or whether it has been deliberately left unfixed.”
While your average smartphone owner might not be targeted by a nation’s government, the Pegasus revelations shed more light on our phones’ cybersecurity risks.
NSO Group responded to the allegations by denying its software was used on anyone besides its intended targets of criminals and terrorist organizations, and says it has taken steps in the past to stop clients who abuse the company’s surveillance technology.
While the number of hacked devices in the report pales in comparison to the billion-plus iOS devices in the world today, Pegasus spyware, unfortunately, reveals that no piece of technology is truly bulletproof. That doesn’t mean you should throw your phone in a Faraday cage, or go out and get an Android device (which are historically more vulnerable to malware attacks than iOS).
Apple maintains that iPhones provide users with a high level of security. It still claims the existence of a service like the Pegasus tool is a short-term threat, and not an issue for the vast majority of iPhone users.
“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place,” says Ivan Krstić, head of Apple Security Engineering and Architecture in a statement to TIME. “For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Still, Apple did not state whether or not it had patched previous vulnerabilities dating as far back as 2018.