In the wake of the “Pegasus Project” revelation that nearly 200 journalists around the world have been Pegasus spyware targets, Reporters Without Borders (RSF) has compiled recommendations for journalists who could themselves be the targets of those who buy this high-performance surveillance software.
Pegasus’s strength is due above all to the fact that, “there is no effective way for a user to counter this type of attack,” explains Claudio Guarnieri, an IT security expert at Amnesty International’s Security Lab. Designed by the Israeli company NSO Group, this high-performance spyware is capable of sucking up a phone’s entire content – messages, emails, photos, contacts and so on – without requiring any particular user action and without leaving easily detectable traces.
As they cannot guard against such an attack, journalists working on sensitive subjects in connection with any of NSO Group’s 11 known governmental clients (the governments of Mexico, India, Morocco, Indonesia, Saudi Arabia, United Arab Emirates, Kazakhstan, Azerbaijan, Togo, Rwanda and Hungary) should take the following steps if they suspect a potential Pegasus infection:
• Stop using your smartphone at once and buy a new one to continue communicating. Keep the potentially infected device as evidence but keep it far away from yourself and your work environment.
• Disconnect all accounts from the potentially infected phone and change all the passwords from another device.
• Contact Forbidden Stories or IT experts such as those at Amnesty International’s Security Lab to see if your number is on the leaked list of 50,000 numbers. The Amnesty International expert group has also developed a tool, the Mobile Verification Toolkit (MVT), which can be used to find out if a smartphone has been infected with Pegasus. Note that its use requires good IT skills. Journalists can also send their phone number to Share@amnesty.tech to be checked.
• If you cannot replace your phone:
• Restart the phone. Amnesty’s experts have established that, on an iPhone, a restart can temporarily stop Pegasus from functioning on iOS.
• Perform a factory reset of the smartphone even if this does not guarantee Pegasus’s removal. Note that this may also destroy evidence of an infection.
• Update the system software and all of the apps on the phone.
• Remove all unknown devices connected to the various messaging and online account apps (Signal, WhatsApp, Twitter, Facebook, etc.).
• Compile a list all the passwords that have been entered and stored in the smartphone. Then change them and never reuse the old ones.
If any of your close contacts has been infected, they should follow the same recommendations.
While there is to date no reliable countermeasure against Pegasus, certain actions and good practices can complicate the task of spyware trying to access a journalist’s smartphone:
Secure your smartphone:
• Protect your smartphone with a PIN. Use a six-digit PIN at least or, even better, a strong and unique sentence (different from your other passwords). Using an easy PIN such as “0000” or “1234” or your date of birth – whether for the phone itself or the SIM card – provides absolutely no security.
• Update the smartphone’s system software frequently.
• Install a VPN. (But be aware that a VPN does not protect against certain types of attack.)
• Install antivirus software (Avast, McAfee or Kaspersky).
• Delete apps that are not used.
• Turn your smartphone off at least once a day. This simple measure may be enough to thwart the operation of many spyware apps.
Secure your messaging service and social media accounts:
• Enable two-factor authentication on your most important accounts (Twitter, Google, Facebook, etc.).
• Disable iMessage and FaceTime (which are known to be Pegasus points of entry).
• Avoid using Google Home or any other voice assistant.
• On an iPhone, uninstall such Apple apps as Apple Music, FaceTime, iMessage and Mail. Note that you must disable iMessage before uninstalling it.
When using your smartphone:
• Whenever possible, use a VPN when browsing the Internet.
• Never click on links in a message from an unknown number.
• Do not use Wi-Fi in unreliable places, or use it only after previously activating your VPN.
• Only install apps from the App Store (on an iPhone) or Google Play (on an Android phone).
• Block notifications and requests for permission to access the address book.
• Do not allow your smartphone to save passwords. Use a secure password manager such as LastPass.
• Use Signal to communicate with your sources. For journalists dealing with very sensitive information, it may be a good idea to use a phone that is not connected to the Internet – an old mobile phone or a smartphone with no access to data.
Other useful resources:
• The Access Now digital security helpline can diagnose your problems and provide helpful technical advice in nine languages.
• The Digital First Aid Kit gives advice about a device that is behaving suspiciously, as does Surveillance Self-Defence. – Reporter’s Without Borders