Olvid vs. Pegasus
July 7, 2021
The Pegasus affair has generated a lot of buzz in recent days, and Olvid has been questioned multiple times about it. Here, we shed light on this topic and, more generally, on the risks associated with using instant messengers, including those claiming to be secure.
What is Pegasus?
Pegasus is spyware sold for several years by NSO Group to various states around the world, with the aim of monitoring specific targets (journalists, activists, politicians, etc.).
Based on a simple phone number, this software is capable of infecting an Android or iOS smartphone without user intervention, placing it under surveillance. To do this, it relies on various "zero-day" vulnerabilities in operating systems, meaning vulnerabilities unknown to publishers, which allow the software to "elevate its privileges" to obtain the same access rights as the operating system itself. In practice, this software can therefore access everything displayed on the smartphone, everything entered by the user, everything stored on it (including private application data, or Browse history), as well as all device sensors (microphone, geolocation, etc.). The role of this software is obviously to relay the collected information to the state that commissioned the operation.
How do I know if my smartphone has been infected by Pegasus?
Pegasus's strength, and what allowed it to remain undetected for so long, is precisely its ability to leave almost no trace. It is therefore impossible for the general public to know whether or not they have been infected. Some specialized companies (like Tehtris in France) are now capable of analyzing the content of a smartphone to detect traces of Pegasus.
For those with sufficient technical skills (or who know someone who can help), the open-source tool MVT (Mobile Verification Toolkit) published by Amnesty International Security Lab allows you to search for traces of infection on your smartphone. If you have any doubts, it's worth trying this tool.
However, Pegasus is designed to evolve, and what makes it detectable today could disappear in the future.
What to do if I have been infected, or if I think I have been targeted?
While detecting the presence of malware is difficult, it is generally even more complicated to guarantee its removal. In the case of Pegasus, it's the same thing.
To our knowledge, Pegasus software only exploits software vulnerabilities. It is therefore "sufficient" to reinstall the operating system of your smartphone to clean it. Note that restoring factory settings is not necessarily enough. On an iPhone, for example, you need to put the device in recovery mode and reset it from a computer (see https://support.apple.com/en-us/HT201263).
Be careful, some malware exploits hardware vulnerabilities. For example, Lojax (see the nolimitsecu episode on the subject) persists after a complete Windows reinstallation because it is installed directly at the "BIOS" level of the machine. In these cases, the simplest cleaning method is to buy a new machine! It is not impossible that Pegasus could one day exploit such vulnerabilities, then requiring a phone change in case of infection.
How to avoid getting infected or re-infected?
First, let's keep in mind that Pegasus is not a mass surveillance tool, but a targeted attack tool. Most of us therefore have no reason to be alarmed. However, the number of Pegasus targets is enormous (at least 50,000 people), so many people have reasons to feel concerned, and it is not impossible that other tools similar to Pegasus operate on a larger scale.
To understand how to protect yourself, you need to study Pegasus's infection methods. Not all infection methods are yet known, but the main ones are:
- the reception of an SMS, WhatsApp message, etc. containing a viral payload
- connecting to a malicious WiFi network
- physical access to the phone for manual installation
These last two contamination vectors require close contact, making them much more difficult to implement, but also almost impossible to avoid. Therefore, the focus is on protecting against the first contamination vector.
As demonstrated by the leaked file in the Pegasus affair, targets were identified by their phone number. The majority of messaging apps (WhatsApp, Signal, Telegram, etc.), like SMS, allow you to receive content from anyone, without consent, as long as they know your phone number. These are therefore ideal vectors for exploiting vulnerabilities.
A drastic solution would be to cut yourself off from the rest of the world and ask your loved ones to do the same. This solution is of course not realistic today. Less radical methods can limit the risks, as we indicate in the best practices, but concessions will have to be made.
Best practices for staying connected, without risk, with Olvid
To limit infection risks
Disable or uninstall anything that allows you to receive "rich content" unsolicited
A malware's viral payload generally does not transit via a simple text message, but via a multimedia file (photo, video, voice message, etc.) that exploits a vulnerability in the decompression library, or a link to a malicious site.
Therefore, you must uninstall and stop using any means of communication that allows you to receive such content unsolicited, especially when your phone number is sufficient to send you content. Among the most obvious examples: WhatsApp and Telegram.
You can, however, continue to use Olvid, whose security model guarantees that you can stay connected while fully protecting yourself from unsolicited messages. One of Olvid's peculiarities, fundamental for protecting against Pegasus, is that it does not use your phone number as an identifier and provides a cryptographic guarantee on the origin of the messages you receive.
Avoid using directory-based communication methods
We have talked a lot about the phone number as a way to target a specific smartphone, but more generally, any system that allows an attacker to easily determine your "digital identity" for you to contact presents the same risk. All end-to-end encrypted messaging apps (with the exception of Olvid) use a directory that anyone can query to initiate a communication. This may seem very practical at first glance (this is what allows WhatsApp to discover friends after sucking up your address book), but it is a monumental security flaw.
Not only does this directory pose a problem in terms of personal data collection, but the Pegasus affair highlights the real flaw it represents.
Olvid is the only messaging app providing a real guarantee on the authenticity and confidentiality of your communications, without relying on a centralized directory. This leads us to make the following recommendation.
Separate the "smart" part from the "phone" part
If your activity requires you to share a "public" phone number to receive phone calls from people you don't know beforehand, we recommend using two phones: a first one dedicated to telephony (ideally an old GSM that won't leak any information) and a smartphone.
Your smartphone then only needs a SIM card to access the Internet on the go. To ensure its number is never disclosed, do not use any messaging app that asks for it, otherwise it would be made public as demonstrated in an article by a group of researchers from the universities of Würzburg and Darmstadt.
Your smartphone can also work without a SIM, just with WiFi (beware of malicious networks, however), or with an independent 4G key. Be wary of connection sharing as it is not impossible that Pegasus could spread this way.
Olvid does not access your phone number and therefore cannot disclose it (Olvid also works on tablets, or on a phone without a SIM). We therefore recommend its installation on your smartphone.
If you are Emmanuel Macron, we even go a little further and recommend regularly changing your smartphone's SIM (or SIMs). This will have no impact on the use of Olvid.
To limit the impact of an infection
Regularly reset your phone
If you are part of a high-risk population, we also recommend regularly resetting your phone. As if you had been infected, perform a complete reset of your phone's operating system. For example, if you are a journalist, do it before going on a mission abroad, and upon your return.
To recover your Olvid contacts after reinstallation, you just need to restore a backup of your Olvid contact list. Be careful not to use any other backup method (especially received attachments) since it could contain a viral payload and reinfect the phone. If Olvid backups do not contain messages and attachments, this is also for this reason.
Limit data lifespan on your smartphone
In the unfortunate event that you are targeted and infected, the ideal is to limit as much as possible the information the malware will have access to. And since Pegasus has access to everything on the phone, it is essential to regularly delete what is on it. You should prioritize tools that allow you to automate this cleaning process because it is illusory to expect to do it correctly if done manually.
Again, Olvid comes to your aid via two complementary mechanisms:
- the three types of ephemeral messages that guarantee the deletion (on your device and on recipients' devices) of messages
- retention policies that allow you to finely configure how long messages are kept on your phone
In addition, the "perfect forward secrecy" property of Olvid's encryption guarantees that a compromise at time T in no way compromises past messages if they have been deleted.
Conclusion
Tools that use a public identifier to allow anyone to contact you are a particularly dangerous attack vector in the context of Pegasus. They allow for the industrialization of targeted espionage techniques.
Olvid is the only instant messaging app combining the ease of use of a consumer tool with the security of a product certified by ANSSI. The Pegasus affair once again shows us that the security of your data is not a subject to be taken lightly.
If you believe you are part of a high-risk population, we are at your disposal to help you.
Acknowledgements
Thanks to @BarbossHack for the link on MVT.
Find and share the French version here: https://olvid.io/articles/pegasus/fr/.