Pegasus is a SaaS-style platform sold to nation state actors, criminal groups and other evil conspirators that want to spy on victim targets. NSO Group (or whatever they are called at the moment) acquires a variety of 0-day exploits for different phone vendors and models, both by developing their own but also buying them from black hats that make a living on developing these and selling to the highest bidder.
There is not a single “Pegasus exploit” but a whole array of them where the one that is used is selected based on the victim and target device. Naturally, when one exploit is discovered and fixed by the phone vendor, it cannot be used again on patched devices and new exploits have to be acquired.
One of the exploits that are known to have been used with Pegasus is indeed the iMessage 0-click vulnerability reported by the Google Zero initiative, but it didn’t require any user interaction. You only needed the victim device to receive the message with the exploit payload.
Sometimes, nation states themselves buy or develop 0-day exploits that are not reported to the software vendor, in hope that it can be weaponized instead. See for example the “Stuxnet” attack against Iran, which was carried out by USA and Israel using a critical vulnerability in Windows that had been unknown to the public for about a decade (which means that anybody else who found it during this time could use it against the general public as a consequence of it being kept as a secret).
Need to say what phone models he used
I’ve seen remote hacks with Pegasus with three different Models and Roms, including a stock Pixel.
No one is safe. Except with TempleOS, maybe.
What about Murena? I wonder if it can defeat Pegasus’s hacks.
That said if I was going to criticise a violent regime like the House of Saud I’d be using a burner phone, and not accepting random messages.
The Pegasus hack reportedly uses an exploit in imessage to execute unauthorised code.
Pegasus is a SaaS-style platform sold to nation state actors, criminal groups and other evil conspirators that want to spy on victim targets. NSO Group (or whatever they are called at the moment) acquires a variety of 0-day exploits for different phone vendors and models, both by developing their own but also buying them from black hats that make a living on developing these and selling to the highest bidder.
There is not a single “Pegasus exploit” but a whole array of them where the one that is used is selected based on the victim and target device. Naturally, when one exploit is discovered and fixed by the phone vendor, it cannot be used again on patched devices and new exploits have to be acquired.
One of the exploits that are known to have been used with Pegasus is indeed the iMessage 0-click vulnerability reported by the Google Zero initiative, but it didn’t require any user interaction. You only needed the victim device to receive the message with the exploit payload.
Sometimes, nation states themselves buy or develop 0-day exploits that are not reported to the software vendor, in hope that it can be weaponized instead. See for example the “Stuxnet” attack against Iran, which was carried out by USA and Israel using a critical vulnerability in Windows that had been unknown to the public for about a decade (which means that anybody else who found it during this time could use it against the general public as a consequence of it being kept as a secret).
It says iPhone in the top image caption.
Oh shit so it does. Thanks