What is Pegasus?
Pegasus is targeted cellphone malware by the NSO Group sold to governments.
It’s regularly used against human rights activists.
How can you stop Pegasus?
Well, you can’t stop it per say (except step 6 below). But you can reduce risk with SOME of the steps below:
1) GrapheneOS reduces buffer overflows with a hardened memory malloc.
A buffer overflow attack is when memory is corrupted to leak information. We covered this in our animated video on GrapheneOS, which you can find here. And this article covers the basics of DeGoogled phones.
2) Always use a VPN for the DNS. Avoid trusting ISP DNS
DNS stands for Domain Name System and it’s how domain names (such as .com) get matched to IP addresses or locations. Corrupt governments can hack/manipulate routers or cell tower DNS to redirect you to different websites or services and then download malware to your system. Additionally, by using a VPN, you encrypt all the packets to treat the ISP’s infrastructure as untrusted.
3) Don’t activate SMS from cell towers and use VoIP only via WiFi
VoIP or Voice over IP is just as good as regular phone lines. The person you’re talking to won’t even know the difference. We covered VoIP burners extensively in our review found here.
4) Avoid a SIM card, then use an external WiFi FOSS router that you own, such as:
In your home: DD-WRT, Open-WRT, (w/) OPNSense or pfSense
Tiny on the go: Rasberry Pi with OpenWRT, or GL.inet,
You can put a USB modem on GLinet then you’d have portable WiFi access, but with physical isolation from the internet source. Then you only flow encrypted VPN traffic through the router.
If you’re too lazy to do this, then an external ISP-provided hotspot over in-phone SIM. We covered a lot of these different choices in our previous article on avoiding cell tower geolocation.
5) Pegasus can work off being sent a link, so:
6) Avoid WhatsApp, Facebook’s apps, iMessage, and other big tech apps
As the Intercept reports, WhatsApp is an example of an app known to be vulnerable to zero-click exploits from Pegasus. The is a type of attack where the user does not even have to click the link to become infected. Zero-click exploits are why it’s very dangerous to use these spyware apps that are insecure such as WhatsApp, and we instead recommend Signal, XMPP, SimpleX, and Element.
If Facebook has to be used, avoid the mobile app and instead do so in a separate web browser on a PC where it can be properly isolated. (A virtual machine for Facebook can be considered for very high risk targets that need to use the site, but for the average person this is likely overkill and an isolated separate web browser is fine.)
7) You could consider a tiny PC w/ WiFi such as LattePanda or Rasberry Pi INSTEAD of a phone because these have no internal cell tower baseband modem. The default Pi distro can do Signal, or for example:
8) Detect Pegasus on GrapheneOS or stock android with the attestation tool app:
This app compares your current operating system to the stock android or official GrapheneOS version to detect malware.
9) While as for iPhone, you’re better off with the Mobile Verification Toolkit (MTV) from Amnesty International.
This scans the device against known spyware from Amnesty International and Citizen Lab, which compares it against known “indicators of compromise”. According to TechCrunch, these include things like domain names known to be part of NSO’s infrastructure:
Some will think this list is extreme, but you can only do SOME of the choices depending on your situation. Also you should consider most of these things anyway for general privacy and security. If you want help, reach out to us to schedule tech support for phones, routers, Linux PCs, or whatever else you need.