"The attacks using spywares to hack data of people in power will soon become a trend," said Prasad T, Chief Information Security Officer, Instasafe, a cyber security solutions company, commenting on the investigation published by an Indian online news portal on Sunday, 18 July— which reveals that spyware Pegasus is believed to have targeted at least 40 Indian journalists.
The report by The Wire said that the leaked data includes the numbers of top journalists from well-known media organisations like the Hindustan Times, India Today, Network18, The Hindu and The Indian Express.
The Wire's analysis of the data shows that journalists were spied on between 2018 and 2019, in the run-up to the 2019 Lok Sabha general elections.
Using Pegasus Not Uncommon
Nikhil Pahwa, founder of Medianama, believes surveillance by governments using Pegasus is not uncommon.
"We've known about Pegasus since 2016. First known use in India that we know about was in Bhima Koregoan, allegedly by the Indian government," he said.
Pegasus, a product of Israeli cyberweapons company NSO Group, was earlier in the news in late 2019 for being used to hack into phones of roughly 1,400 users around the world, including 121 Indians.
The spyware can log your keystrokes, screenshot your screen, take control of your apps.
Pahwa alleges that the Indian government has used Pegasus to spy on noted people, as the company only sells to vetted governments.
Human Right Abuse
Prasad explains that Pegasus exploits the vulnerabilities of your mobile device operating system which makes it so powerful that it can extract information from all apps on your phone including iMessage, WhatsApp, Gmail, Viber, Facebook, Skype and locations.
WhatsApp head Will Cathcart on a Twitter thread said that "NSO’s dangerous spyware is used to commit horrible human rights abuses all around the world and it must be stopped".
Cathcart points out that in 2019, WhatsApp discovered and defeated an attack from NSO. "They rely on unknown vulnerabilities in mobile OSes, which is one of the reasons why we felt it was so important to raise awareness of what we'd found," he said.
"This is a wake up call for security on the internet. The mobile phone is the primary computer for billions of people. Governments and companies must do everything they can to make it as secure as possible. Our security and freedom depend on it," he added.
"To those who have proposed weakening end-to-end encryption: deliberately weakening security will have terrifying consequences for us all."Will Cathcart, WhatsApp Head
Meanwhile, Signal also took a dig at the government over new IT laws requiring messaging apps to break encryption, 'trace' chats and identify users in a conversation chain.
"Looks like the Indian government has been secretly attempting to surveil political Opposition leaders, journalists, activists... Interesting coincidence that they've also been advocating legislation to weaken encryption..." a tweet from the app's handle said.
The tweet had a link to a report by The Guardian, which alleged that Congress MP Rahul Gandhi was among potential targets of surveillance by the Narendra Modi led BJP government.
Are We Prepared for Such Attacks?
"It is not extremely difficult to design a spyware like Pegasus, if an Israel-based company can do it, this means that cyber attackers can do it as well," Prasad told The Quint.
Pegasus can be installed on a target’s phone in many ways, in some cases by sending infected links to targets (spear phishing), social engineering.
"What is extremely concerning is the use of Pegasus in future by terrorist organisations, the main question is are we prepared for any such attacks?," Prasad asked.
Echoing similar thoughts, Pahwa notes that cybersecurity threats and cyber surveillance are here to stay. "There is a weaponisation of cyberspace that is taking place at an alarming pace. We need the United Nations to step in. We need disarmament of the cyberspace," he said.
What's The Solution?
Experts believe that the solution to government surveillance – as is alleged in the Bhima Koregaon case – is not the privacy Bill, because it exempts the Indian government from accountability, but 'surveillance reform'.
"Our intelligence agencies need to be held accountable to Parliament. Usage of such software against parliamentarians and Indian citizens needs judicial sanction, and future declassification. Authorisation by a 'competent authority' is insufficient as long as this information is classified and is dangerous for democracy."Nikhil Pahwa, Medianama, Founder
Meanwhile, Prasad points out that the number of cybersurveillance and cybersecurity issues are only going to increase going forward.
It is also worthy noting that all the data retrieved using Pegasus spyware is stored in a server located in Israel. "It is safe to assume that all the data that is being tracked can be used by the Israel based company, which is another matter of concern", he adds.
Android Phones More Vulnerable
Speaking to The Quint, Prasad said that Apple has released a patch for protecting its devices from the Pegasus spyware attack, but android phones are more prone to vulnerability.
According to Citizen Lab, even a Factory Data Reset of the phone doesn’t get rid of the Pegasus spyware. It lets attackers continue to access your online accounts even after your device is no longer infected.
In order to ensure your online accounts are safe, you should also change the passwords of all the cloud-based applications and services that you were using on the infected device.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)