Malwares, Pegasus, Snooping and National Security.18 Jul 2021
1) Why are we hearing about Malware, Ransomware and spyware often nowadays?
You hear it often nowadays, because it is being used indiscriminately by everyone. Just like most hi-tech like GPS, Wireless communications or other technologies, what was once used only by nation states, their military and espionage services, is now increasingly developed, deployed by Private companies, but are used by everyone (including corporates, cyber crime gangs and even nation states).
This means that their targets are also civilians, public personalities, journalists, human right defenders and other innocent people, but are spied upon only because it is possible to do so. As the number of people, who are spied upon increases, a small percentage of them are detected, and are reported in the public domain. Hence, one way to think about the increase in reports is the phenomenal increase in the number of people who are being spied upon.
2) What does a malware do, in general?
All malware does two things. It mostly takes out things (Personal data) from the infected devices, but sometimes can also implant things into the infected devices.
3) Who develops malware?
Malware is actually software. Hence it follows the same development model of software, which can be developed by anyone with good command on programming, Operating Systems. Just like how there are software companies, which develop, sell and maintain software for a fee, there are software companies which do the same for malware.
4) How does malware get in to the infected devices?
There are many ways for malware to get into your devices. But the most common method is via Phishing, where an attachment is sent as part of the email clicking which installs the malware or a link is sent in an email or a message, clicking upon which the malware is downloaded and installs itself on the device. Malware’s also gets installed via a layered approaches sometimes, where an existing malware can then install another malware and then delete itself from the devices.
5) Can my device be infected via a malware, even if I never click a link or download an attachment?
Unfortunately yes. This is done by using bugs that exist in the legitimate software installed in your devices such as browsers or even the Operating System itself.
6) Bugs? You said Bugs? Why are they not getting fixed?
One word incentives. Simply put, the software companies which develop software have warped incentives that don’t allow them to spend enough on securing their products, which leaves behind plenty of bugs that can be used by malware writers to compromise these devices.
7) But we are talking about multi-billion dollar revenue making companies like Microsoft, Apple, Google etc? Why can’t they do it?
Incentives again. But there is also complexity. Over a period of time, software has become complex enough that even companies with billion dollar revenues can’t find them before it used by malware developers. They however get good in fixing them faster though.
8) OK. What is this, I hear about Pegasus?
There are country guns and then there are tanks. A similar spectrum of capabilities exist in malware classes too. Pegasus is one of the most complex, complete military grade malware that is developed to infect mobile devices of all kinds using a variety of techniques. It was developed by the NSO group, funded by the Israel government, that develops this malware and can sell it to others anywhere in the world.
One way to think about Pegasus’ capabilities is that, it does a full takeover of your device and even though you own the device, it is in full control of the device. It can switch on the speakerphone and the camera and even record your conversations and meetings without you ever knowing about it and report it back to the control server.
A simpler way to explain Pegasus is that, it is equivalent of putting an intelligence agent in your house, who can not only see everything, but can also put things in your house (Like implanting documents, videos etc.)
9) Is there any way to defend against it?
I wish there exists a hopeful answer. But the reality is that, it is very hard to defend oneself against a military grade malware like Pegasus. Defending against Pegasus, requires level of awareness, that can only be called as borderline psychotic, and is not possible for everyone. Perhaps, reform of surveillance laws can help here, which makes it harder for the government of the day, to embark on a malware planting campaign or perhaps not.
10) Does Pegasus means no end-to-end encryption (WhatsApp, Signal etc.)?
No. It is not. Pegasus is still a very expensive solution and will cost several billion dollars to infect every mobile device in India. Hence it is not possible to do it at scale (even 1,00,000 devices). This means except for a small number of devices which were compromised, using secure messaging via E2E is still the best way to secure your communications.
11) So if I am not in the list, I am safe?
For now. But then there is always the IT Act Rules 2021, which mandates traceability and which cannot be done without breaking end-to-end encryption. So eventually if all the Social media intermediaries comply, then Pegasus is not required because the intermediaries will share all the data with the government. The government thus gets to surveill anyone w/o paying pegasus millions of dollars.