Pegasus by Laurent Richard and Sandrine Rigaud 2023

This book is an exposé written by two senior journalists at the long-form news entity Forbidden Stories in Paris, France. Thanks to some serious hacking talent, this outfit was apprised—in about 2021—of a list of fifty thousand telephone numbers from all over the world. The list contained telephone numbers and dates of attempted cyber intrusion attacks for purposes of surveillance.

The outfit that created the software and other parts of the architecture to do this work was an Israeli company called NSO, the initials of the three founders. The software was Pegasus. NSO sold their software to governments who were supposed to use it to help apprehend criminals and terrorists—we’ve all heard that before, right—but besides those uses, most of these governments (almost all autocratic), including Israel, used it to monitor political opposition figures, journalists, and others who just happened not to favor the regime in power. The Moroccan government, for example, was keeping a close eye on virtually the entire French executive, including the president.

Surveillance software had been around before Pegasus, but most of it focused on computers. NSO was the first (roughly 2012) to recognize that everything important was shifting to the smartphone. Like other hacks, surveillance by Pegasus would begin with a user clicking on a link that then downloads software, triggering the rest of the infection chain. This process should be familiar to anyone today. However, NSO added another twist in 2017, known as “zero-click intrusion.” That meant the phone only had to be on to be invaded. The user doesn’t need to click on anything.  

Once onboard the phone, Pegasus could acquire “root authority” and essentially operate every app on the phone. After offloading the phone’s logs, images, emails, texts, and recordings onto client servers, Pegasus deleted itself to avoid detection. Once zero-click intrusion became available, the Pegasus user could re-access the phone and download its latest data at any time they wished. 

Users would not know of the intrusion. The software could also deliver other malware, such as ransomware attacks, or monitor conversations in real-time, among other things. For example, your government might want to imprison you, but you haven’t committed any crime. They could use Pegasus to put some child porn on your phone in a folder they create. They arrest you, confiscate your phone, and voila, discover the criminal evidence.

The book gives few details, but it says enough to understand that zero-click attacks are not trivial. Some app on your phone (we all have dozens) must have an exploitable weakness. It was the job of the NSO programmers to find these exploits and update their customer software when phone manufacturers found and closed any particular loophole. 

The target apps with the greatest potential for attack are those that receive data from the telephone network and then perform an action without requiring user intervention. Every app that notifies you of something (such as texts, emails, or alerts of all kinds, including weather applications) can be an infection vector, but they are not alone. How many apps do we run that do not need access to your microphone, camera, or contact list, yet they default—on installation—to having such access.

To make a successful attack, the attacker must have your phone number. What kind of phone you have (every OS has different vulnerabilities) also makes a difference, but Pegasus could look for all of them. Client updates to Pegasus likely contained an extensive library of the various hacks needed for any given vulnerable app on every kind of phone. If, starting with your phone number, one attack fails, Pegasus tries again. Eventually, it finds an app on that target’s phone that lets it in. 

All of this revelation about the capabilities of Pegasus are scattered throughout the story which focuses on the the people who figured out how to detect prior infection (Pegasus deletes itself when finished culling your data, but as it happens, it leaves a few illegitimate process names in the phone’s logs), the process of proving prior infections on hundreds of phones in the original list of fifty thousand (mostly journalists and a few political opponents of various regimes), the journalists themselves (a multi-continental collaboration that miraculously maintained its secrecy until their stories were simultaneously released), and the NSO company.

So what happened when all of this got out? As one might easily predict, very little. The NSO company was destroyed, but the talent that created the technology merely scattered to other places—some paid obscene salaries—and duplicated the tech for their new employers. There are now numerous Pegasus clones worldwide.

Supposedly, the Israeli government did not permit Pegasus sales to Russia, China, North Korea, or Iran (they allowed sales to Saudi Arabia). However, China has undoubtedly had this ability (developed in China [see NOTE]) for years now (see We Have Been Harmonized by Kai Strittmatter, 2019), and there is no reason to believe that, in 2025, the other three do not also possess it. In the U.S., the NSA surely has this ability. They are building (or is it operational?) the world’s largest data center for a reason after all.

NOTE: Unique among nations of the world, China, and likely also North Korea, have no need for zero-click technology based on vulnerabilities. The Chinese and North Korean States have the power to mandate that all phones sold in their respective countries come with a built-in, non-removable app that allows the government to access the phone at any time.