Not even at the height of the myth of Pegasus was Pegasus more devastating than it is now – not even in the battle that killed the monster Chimera. Pegasus may be merely regarded as a Greek myth but in present day, however, it is the most sophisticated spyware built to keep surveillance on its target in a manner hardly detectable or preventable by the safest of systems.
Built on the so called ‘Zero-click technology’, Pegasus poses the most significant challenge yet to cyber security experts and systems, making a mockery of the iOS and Android Operating Systems, regarded and indeed which pride themselves as the best and most secure privacy-ensuring Operating Systems.
Cyber Attacks and the Myth of Cyber Security
Cyber security refers to the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from cyber-attacks. It entails the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber-attacks with the aim of at least, reducing the risk and exposure of a device to cyber-attacks whilst protecting against the unauthorised exploitation of systems, networks and technologies.
On its part, a cyber-attack is regarded as any attempt to steal, alter, expose, destroy, or gain any information from a person/organisation through unauthorized access and by the use of one or more computers against a single or multiple computers or networks. It is the gaining or an attempt to gain illegal access to electronic data stored on a device or a network. Cyber-attacks are on the rise and there are several types of them which a system can be subjected to.[1]
Amongst cyber security experts, there is unanimity in the knowledge that the implementation of cyber security does not guarantee full protection from cyber-attacks. However, the implementation provides reasonable safeguards, some of which are regarded as more or less impenetrable.
Certain Operating Systems are built on this and are claimed to be the safest and incapable of penetration by cyber attackers. For instance, Apple claims that its iPhones are the safest and most secure mobile device in the market due to its tried and trusted iOS which undergoes constant upgrade. Google’s Android OS is not far off either. These systems are designed to ensure that people feel safe and are guaranteed of their privacy and security from spying or surveillance when using their mobile devices. Indeed, that is the aim of cyber security and data protection laws, the world over.
Enter, Pegasus…
The narrative would begin to change in 2016 after a failed attempt to install the Pegasus spyware on an iPhone belonging to a human rights activist leading to an investigation. Between 2016 and 2021, Pegasus spyware has attained unprecedented sophistication and can now be installed on any device – primarily mobile devices – without any interaction with the owner of the device thanks to the ‘Zero-click technology’.[2] Common vectors of the Pegasus spyware are SMS, WhatsApp, iMessage, Calls, etc. and once installed on a device, it gathers data from the affected device and communicates same to the attacker.
To put things in perspective, once installed, Pegasus can have access to all SMS, Emails, call logs, photos, videos, location, contacts and chats of the victim as well as activate the victim’s microphone and camera such that it records the audio and visual communication of the victim for transmission to the attacker – all these undetectable by the device’s owner.
Pegasus attack targets a device’s “zero day” vulnerabilities[3] obtaining the device’s ‘root privileges’ or ‘administrative privileges’ in the process. It is also said that once a device has been infected, Pegasus has more control over it than the owner of the device.[4] The effect of an attack on a device’s zero day vulnerability is that even where the manufacturer is able to identify and remedy those flaws; the attacker is able to exploit new flaws. This has led to the assertion that the manufacturers only try to get better while the attackers get worse.
Besides the foregoing, there are others attributes of Pegasus that make it the world’s most feared spyware: Pegasus is effective across all Operating Systems, self-destructs when it is unable to connect to the server after sixty days of installation or when installed on a wrong device and at present, almost impossible to prevent or detect.[5]
Pegasus and Cyber Security
While cyber security is broad and meanders around infinity, there are certain minimum cyber security tips owners of devices are expected to keep in order to keep their devices reasonably safe from cyber-attacks. Some of the tips are regular update of devices when updates are available, use of password managers to avoid password attacks, use two-factor authentication, giving serious thoughts and consideration before downloading Apps or clicking a link and using a VPN App especially when using a public WiFi. These safety tips are designed to protect devices from common types of cyber-attacks.
Rather unfortunately, Pegasus spyware, whilst being a form of malware attack is not a common attack and is unpreventable by any of the above tips. Its ‘zero click’ feature chides these tips which are rather more effective against password and social engineering attacks. Several assessments have shown Pegasus by-pass the iOS 14.0 and other updated versions of the iOS.[6] It would appear that at present, cyber security is helpless in the face of Pegasus’ advance. Asked how to prevent a Pegasus attack, Claudio Guarnieri of Amnesty International’s Security Lab retorted that: “the real honest answer is nothing”.
Pegasus and Data Protection Laws
Data Protection entails cyber security. It is the end product of cyber security as data cannot be protected in this digital age without cyber security. As a concept, data protection seeks to provide minimum regulatory and/or organizational standards for the protection of the personal data of natural persons.
In Nigeria, the Nigerian Data Protection Regulation, 2019 (“the NDPR) caters for this. The EU General Data Protection Regulation (“the GDPR”) bulwarks against data breach in the EU and is seen as the standard. Both the NDPR and the GDPR define personal data in such terms as to include the location data, footage, names, email addresses, phone numbers and indeed anything capable of identifying a natural person (data subject).[7] These personal data indicators are essentially what Pegasus targets when it infects a device. It thus goes without saying that a successful Pegasus attack is a breach of both the NDPR and the GDPR. What is more, processing of personal data using Pegasus cannot be fitted into any of the lawful basis for processing under both the NDPR and the GDPR.
A question may arise as to whether the NDPR, nay the GDPR applies in situations of Pegasus attack given that the processing of personal data of the victims of the attack is itself unlawful since consent was not obtained. Prima facie, the processing is unlawful and criminal. However, it is to prevent such attacks that the NDPR and GDPR was formulated, underlying the application of the NDPR.[8]
A caveat to the foregoing, however, is when Pegasus is used to attack a corporate organization. Certain remedies may lie to such organizations and the attack may well constitute a crime under relevant cyber-crime laws. However, it does seem that such an attack cannot constitute a breach of the NDPR or the GDPR as organizations are not data subject under these regulations.
Perhaps, the point should be made that the Pegasus spyware is developed by an Israeli tech company, the NSO Group to help nations combat terrorism. At present, the spyware is sold for hundreds of millions of United States Dollars only to countries, meaning that it is not in the possession of individuals.[9] However, Pegasus has been shown to be used by state actors for espionage and political surveillance. According to a Washington Post, three serving Presidents, seven former Prime Ministers (some of whom were serving at the time of the attack) and one King have been targeted with Pegasus.[10] This is a particularly dangerous act of espionage given the capabilities of Pegasus and ultimately offends data localization principle.
National Security and use of Pegasus
Under the NDPR, personal data can be processed for public interest without the need for consent. By Article 2.5 of the Guidelines for the Implementation of the NDPR in Public Institutions, processing of personal data for national security is an exemption to the requirement for consent. It seems that the aggregate of the NDPR and the Guidelines is that processing can be done even without the consent of the data subject where it is necessitated by public interest and national security.
However, the NDPR does not contemplate the surveillance of data subjects. Rather, the NDPR only allows for the processing of personal data irrespective of the consent of the data subject in cases where this exception applies. Consequently, provision is not made for the criminal gathering of personal data by surveillance, spyware or phishing. In fact, use of Pegasus to obtain personal data of individuals will constitute a crime under Section 32 of the Cyber Crimes (Prohibition) Act, 2015 which criminalizes acts of phishing and spamming.
However, in a country where the government is actively in pursuit of perceived criminals, one would not be surprised to learn of the deployment of the Pegasus spyware on journalists, agitators and political opponents alike.
To conclude, the Pegasus spyware poses the most significant threat to cyber security in modern day. Somewhat sadly, it seems it will take some time for experts to lay a grip on it while for its users, it will only mean attacking other vulnerabilities. The die is cast and cyber security appears to finally be realizing that it is not the king after all.
Abraham is an Associate at the Firm of Solola & Akpana. He is a member of the Firm’s Data Protection Compliance and Dispute Resolution Practice Groups. He is also a member of the Firm’s Corporate/Commercial Practice Group providing a wide range of legal representation and advice to a broad spectrum of clients in the Oil and Gas, Banking/Finance, Fintech and private sectors on various transactions and regulatory compliance.
He has several articles on data protection/privacy law, international law and Intellectual Property Law published in his name and has routinely audited and filed data audit reports on behalf of several multinational and national companies in Nigeria, to NITDA.
He obtained his LL.B from Ambrose Alli University, Ekpoma and was called to the Nigerian Bar in 2019. He also holds a certification in Data Protection.
Abraham particularly has data protection, intellectual property, sports/entertainment law and fintech as his niche whilst also excelling in dispute resolution.
Reach Abraham at abrahamaigba@gmail.com; 08131993172
[1] Common cyber-attacks are malware attacks, phishing attacks, denial of service attacks, man in the middle attack, social engineering attack, password attack, etc.
[2] What this implies is that without as much as the owner of the device clicking a link, downloading an App or answering a call, Pegasus can be installed on the device
[3] Zero day vulnerabilities refers to an Operating System’s flaws either not yet known to the manufacturer or which the manufacturer is yet unable to rectify
[4] https://amp.theguardian.com/news/2021/jul/18/what-is-Pegasus-spyware-and-how-does-it-hack-phones (last accessed on July 21, 2021)
[5] To detect whether a phone has been infected with Pegasus or not, the phone is sent for digital forensic cyber security lab analysis, which of course is a luxury in Nigeria
[6] https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/ (last accessed July 22, 2021)
[7] See Articles 1.3 and 4.1 of the NDPR and GDPR respectively
[8] It would be rather naive to imagine that the attackers will present for compliance with the NDPR/GDPR. But as the attackers, at present at least, are governments/government institutions or at least government-linked, compliance with the NDPR may well be an issue particularly when the information/data is declassified.
[9] True as this may be, sight should not be lost on the fact that these countries are represented by individuals. What has been with Pegasus is that rather than being used against terrorists, it has been used to attack journalists, human rights activists and opposition figures by heads of countries. Its deployment has been more in misuse than in use. More so, it cannot be claimed that Pegasus has only been sold to governments; certain individuals have been able to lay hold of the spyware.
[10] https://www.washingtonpost.com/world/2021/07/20/heads-of-state-pegasus-spyware/ (last accessed July 22, 2021)