If Alcatraz was the fictional “outlaw” horse whose “untamable streak” could not easily be contained by Red Jim, the hero of Max Brand’s Western, then the Greek mythological winged horse – Pegasus was no different. After all, there too, when Bellerophone attempted a valorous attempt to fly to heaven, the horse bucked – and the hero ended up biting dust.
(Ref: https://www.theoi.com/Ther/HipposPegasos.html). But the Pegasus that we are dealing with here is a horse of a different color - a highly sophisticated military grade spyware created by the Israeli Cyber Intelligence firm NSO Group, a much more lethal, man-made diabolic beast in another setting that has nothing to do either with an empty prairie in Arizona or an agora in ancient Greece.
The simmering debate of whether Government of India sourced and used Pegasus to target devices of Journalists, Activists, Constitutional Authority et al. (https://thewire.in/rights/project-pegasus-list-of-names-uncovered-spyware-surveillance) has reached the Supreme Court. The court has now set up a committee of technical experts – who have to enquire, investigate and determine seven aspects which clearly cover the depth and width of the case.
(https://thewire.in/law/seven-things-the-supreme-court-has-asked-the-pegasus-probe-committee-to-look-into). In many countries where it is believed that Pegasus has been misused, the investigation by the State and its responses thereafter have at best been lukewarm.
From a country like the US, that has the reputation of having run a mega surveillance project like PRISM, how exactly the announcement by their Department of Commerce in the first week of November “Commerce Adds NSO Group and Other Foreign Companies to Entity List for Malicious Cyber Activities” is to be assessed is anybody’s guess.
Or for that matter MFRR’s (Media Freedom Rapid Response) obsecrations, urging the EU Parliament for “…strong implementation of new European Union rules on the export of cyber-surveillance technology around the world”. (https://www.article19.org/resources/eu-action-needed-to-tackle-spyware-abuses-after-pegasus-revelations/). Would these change the way the world conducts business in this domain? Seems highly unlikely.
In India’s case as the stakeholders involved - who in many ways represent the pillars of a responsible democracy, grapple, it should be fair to assume that the citizen would not be witness to a kayfabe.
However, the findings of the committee set up by the court and the direction that it provides in bringing about structural changes in how sophisticated cyber security tools like Pegasus in general would be sourced, developed in house or used going forward, would be studied and watched closely by concerned international groups.
The intent here however was not to delve on the merits of that case but to explore the dark underbelly of malware such as Pegasus that has begun to proliferate over time in the free for all ‘wild-west’ world of internet.
According priority and incorporating technology security in improving the inherent robustness of an IT product or solution and factoring that into an early phase of a software development cycle gained significance only slowly. Even by major IT product companies. For instance, in end 2005 a security researcher had discovered a vulnerability in MS Excel.
With a pseudo name of “fearwall”, his taunt posted on eBay, on the delays by Microsoft in providing a fix had sarcastic overtones - where he stated that there was reasonable confidence to assume that the company is not likely to release any patches for a while and therefore “… since I was unable to find any use for this by-product of Microsoft developers.
It is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product)…” (https://www.eweek.com/security/ebay-pulls-bidding-for-ms-excel-vulnerability/). The fact that the auction was quashed when the bidding reached $53 is another story.
Again, this was not a one off incident where technology giants stonewalled genuine security observations.
Consider the case of CanSecWest. It is a high tech security conference which focusses on ‘applied digital security’. Pwn2Own, is a biannual computer hacking contest held during this event, where participants “are challenged to exploit” hitherto unknown vulnerabilities - Zero Day (as they are referred to, as no one including the manufacturer of the product is aware of it at that point in time), in commercial software and devices.
The trigger for this event that began in 2007, perhaps was because a well-intended security professional – Dragos Ruiu, did not get an appropriate response from Apple when flaws in its software were pointed out.
To rub salt to injury, Apple’s television commercials at that time “trivialized the security built into the competing Windows operating system” – driving home the belief that Apple products were more secure than the rest.
So Ruiu decided to include 2 Mac machines for a penetration attempt in that year’s contest. Result – a high profile flaw was exposed [https://en.wikipedia.org/wiki/Pwn2Own]. In both these instances however, there was no wrong doing on the part of the researchers and the relevant tech companies after the prod, developed patches and distributed it.
Though a report of October 2021, “Burned by Apple, researchers mull selling zero days to brokers” reflects that perhaps the intransigent attitude by the “Biggies” continue even now. (https://searchsecurity.techtarget.com/news/252508220/Burned-by-Apple-researchers-mull-selling-zero-days-to-brokers)
However at that time, these incidents did have some impact on the digital ecosystem in general, as big players began (a) to focus more on stemming the vulnerabilities that arose from their product development and (b) also pay for information about vulnerabilities in their software through what is referred to as “white market bounty programmes”.
Notwithstanding, commercialization of zero day vulnerabilities had begun. As Kim Zetter has documented in her 2014 book “Countdown to Zero Day”, that explores the mother of all critical infrastructure attacks - Stuxnet, with a dedicated chapter on “Zero-Day Paydays”; instructive in several ways - as to how we have booming “…underground black markets run by criminal hackers to the clandestine gray markets that feed the bottomless demand of law enforcement and intelligence agencies around the world”.
As she has argued, the white market payments paled in comparison to what the gray was offering. But what is further intriguing is that this market was referred to as “gray” only because the buyers and sellers were seemingly well intended – as they had the best interests in mind always – be it “public safety” or “national security”. If one man’s meat is another man’s poison, her observation that “…one person’s national security tool can be another’s tool of oppression…”, is not off the mark.
But there is a more insidious underpinning - Tech Companies who own the software are not made aware of the zero day vulnerabilities transacted in the gray market. So no patches can be released by them.
This meant that “…other Government agencies and critical infrastructure owners in the buyer’s own country” would be “…open to attack should foreign adversaries or independent hackers discover the same security holes and exploit them”. What is further worrying is when we read that reputed US based Companies too “…have all been in the exploit game to varying degrees”.
The fact that this market continues to flourish can be evidenced in the list of sites who trade. It is reported that zero day exploits for Adobe Reader goes for $60,000 and Apple iOS at $2,500,000. (https://lifars.com/2021/01/current-state-of-zero-day-exploit-market/) The MIT Technology review states that 2021 has broken all the records for zero-day hacking attacks - 66 attacks this year, twice the number of 2020. ( https://www.technologyreview.com/2021/09/23/1036140/2021-record-zero-day-hacks-reasons/)
From a technical standpoint, to get an insight into how techies discover zero day vulnerabilities, albeit in a controlled environment, it will prove instructive to look at Pwn2Own contest in some detail. For instance, the systems that were successfully hacked into in April 21’, included, the Browser – Safari, Apple; Server – Microsoft Exchange; Communications – Microsoft Teams; Operating System – Windows 10, to name a few. One would get an idea of the range of applications/ platforms / devices that were successfully targeted in a defined timeframe
(Ref: https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results). For the not so technically fainthearted, the approach adopted by tech-security researchers can be better understood on watching a demo of the Flashback team (https://www.flashback.sh/ ); Pedro, the master exploit crafter and Radek the IoT breaker won a $55,000 in Pwn2Own 2019 by hacking into a TP-Link Router. (https://www.youtube.com/watch?v=zjafMP7EgEA). That this could be successfully executed in a LAN environment only, does not take away the sting from the break-in.
It is against the above backdrop that we need to see Citizen Lab findings. While closely monitoring NSO’s product line and their adverse impact, it had discovered multiple zero day vulnerabilities that Pegasus spyware exploits. (https://appleinsider.com/articles/21/09/23/apple-patches-ios-zero-day-vulnerability-exploited-by-pegasus-spyware#:~:text=Over%20the%20past%20few%20months,and%20other%20persons%20of%20interest.).
But that’s not all. The venom in the sting takes a different proportion when the zero-click element kicks in. It literally means - no click required. No interaction required with the end user in any form. So no social engineering component involved.
That’s what makes it a prize possession for the black and gray hat community in general – be they classified as “exploit brokers” “spyware vendors” or “nation-state hackers”. The general perception of an informed end user is to be aware of not to click on any malicious link. But sadly that caution alone won’t save her today.
Slowly but steadily the zero click, zero day has begun to evolve. US based privacy rights researcher Christopher Soghoian’s pleas in 2012 beseeching “security research community to blackball middlemen companies that trade in vulnerabilities and exploits to governments” should at least now be seen as a prescient warning by right thinking entities in the technology-security ecosystem.
In the context of the US, referring to few of the companies who are in this line of business like VUPEN, FinFisher and HackingTeam he had said “As soon as one of these weaponized zero-days sold to governments is obtained by a 'bad guy' and used to attack critical U.S. infrastructure, the shit will hit the fan…"( https://www.zdnet.com/article/0-day-exploit-middlemen-are-cowboys-ticking-bomb/).
While there are no easy solutions, at an abstract level, we could take a cue from Ronald J. Deibert’s observations in the section – Retreat, Reform, Restraint of his book RESET, on a broader topic - Reclaiming the Internet for Civil Society and apply it in the zero day context too.
While he has rightly suggested the need to prioritise “security of the global communications ecosystem as a whole” which “is distributed, secure, and open”, his contention that this “would help pivot away from how it has been increasingly treated: as a “domain” to be fought over (and often seen as collateral damage) in the zero-sum game of interstate competition”, may be debatable.
But his views of having a “human-centric” approach to cybersecurity that attempts an “indivisible network security on a planetary scale” making certain of a robust monitoring mechanism “by multiple and overlapping forms of independent oversight and review” or his emphasis on the need to promote “innovation around alternative means of communication” that maintains the advancements made so far “to connect individuals to each other” and help tap into “vast stores of information” and yet prevent “manipulating them towards their basest instincts”, should have a larger acceptance within the right thinking tech community.
At an implementation level, difficult as it might be, there is no option but to get likeminded entities together under one umbrella and arrive at a consensus on how to regulate the “zero day space”; penalties that need to be imposed and the mechanism of achieving that worked out, if any of the States cross the line.
A focused approach to reduce zero day circulation in the gray market could be a baby step. By calling off talks with UAE “over a record £400m collaboration“ which was considered a “strategic partnership”, after reports of the Gulf State’s use of Pegasus surfaced, an academic institution like Cambridge University shows the way to larger entities.
This can be seen as an instance of a macro level deterrence measure – isolating those States and calling them out - who encourage and willfully indulge in leveraging these utilities inappropriately.(https://www.theguardian.com/education/2021/oct/14/cambridge-university-halts-400m-deal-with-uae-over-pegasus-spyware-claims).
In the local context, as the digitization dependence in India accelerates, be it through Government or Corporate initiatives and the proliferation of smartphone ownership across the population eases delivery of services to individuals, it is clear that it is not just the US that would be a “lucrative attack surface”, borrowing the words of cybersecurity journalist Nicole Perlroth.
Whether it is critical infrastructure that is likely to be impacted or a device of a citizen – reach of the attack has been adequately demonstrated. With such a large spread of the digital foot print, it is imperative that we begin to realise the risk involved and the likely impact that it can have to a growing economy. The risk exposure that we have would be no less than that of any of the large technology mature nations.
As a responsible Democracy with an encouraging and expanding tech-ecosystem, we should logically be the ones to participate if not lead on how to get a semblance of order in the global arena in this highly volatile, no holds barred, free for all, unregulated market. Else, it is only a matter of time before a citizen, for no fault of his is stripped in every sense like Byron’s Mazeppa and may be forced to ride a more lethal and sophisticated variant of Pegasus in the not so distant future.
About the Author
Cdr K Ashok Menon (Retd), a former Indian Naval Officer whose key assignments in the navy included, Joint Director of Personnel (Information Systems) and Logistic Officer INS Delhi. He also held different positions in the ILMS (Integrated Logistics Management System) Centres. Having sought premature retirement in 2006, he moved to the private sector where he served in IT/Cyber Security Roles in different MNCs at a senior level. He currently runs his own software technology and consulting company.
(Views expressed are the authors own and do not reflect the editorial policy of 'Mission Victory India')