What is Pegasus, and How Does it Spy on You?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello my name is gary sims and this is gary explains now government-sponsored cyber surveillance is in the news again following an expose in the uk's guardian newspaper talking about a piece of malware called pegasus which is allowing government around the world to spy on people turning their smartphones into effectively fully fledged civilian devices that can record audio record video look at the photos they've got look at the messages they've got and so on then i want to look at what is pegasus how does it work how does it infect phones and what can you do maybe to protect yourself well if you want to find out more please let me explain now pegasus is probably the most sophisticated piece of malware that we know about now it's made by a company called the nso group and they only sell it to governments the idea is meant to be used in a fight against terrorism now the expose in the guardian has found some leaked information that shows that some of these governments that are using pegasus are not just targeting terrorists but also people of interest that may align or not align with their political plans and of course this is causing a big stir around the world i don't want to get into the politics of it what i want to look at though is how does pegasus work and what does it do now the earliest versions of pegasus have been seen since 2016 so we knew about its existence however it's becoming more and more powerful and more and more capable and at its fully fledged capabilities it's able to basically turn any smartphone android or ios into a full surveillance device that means it can look at the messages it can record phone calls it can record audio through the microphone it can make video it can take photos you can look at the photos that are already on the device and so on it can even access location data now if you combine all those things together basically the person carrying the phone is basically taking whichever government it is that's spying on them around with them everywhere they go and showing them everything that they are doing now this kind of technology does not come cheap if you want to license pegasus and you want to use it as a government you need to pay millions of dollars not even hundreds of thousands millions of dollars to get your hands on this tech now all software has bugs it's a fact and the more complex that software is the more bugs there are in fact there are metrics where you can measure the number of bugs versus the size of any particular project now most bugs are just an inconvenience you try to use a piece of software to do something and it doesn't quite work or when the data isn't quite what they expect it doesn't work in the way expect the ui has got a glitch that kind of thing and they basically they get fixed in the next kind of point release where they roll out an update and all that thing that was annoying you is now working isn't that great however there are a category of bugs that are very very serious and they are security related bugs now security related bugs exist everywhere they exist in android they exist in ios they exist in windows they exist in linux the existing mac os they exist absolutely everywhere they exist in applications themselves they exist in network services they exist in the servers that are running all the stuff we're doing they are absolutely everywhere and the reason they are serious is because once you can breach the security then you have unauthorized access and of course pegas is all about unauthorized access to gain access to things that they shouldn't have access to now a lot of companies treat these security bugs very seriously for example google has a vulnerability reward program where if you can find a problem in android or in chrome or in the play store and demonstrate that using that bug you are able to bypass some kind of security mechanism they'll give you money they'll pay you for your time and there are actual professional researchers who spend their time trying to crack into a chrome and into android and into ios and into amazon's web services and into windows stuff and the companies like google and microsoft and amazon they pay the money for the things that they have found out in fact in 2020 google paid out 6.7 million dollars to people who had found different security errors in android chrome and so on the problem is there are more errors more bugs than there are security researchers and there are some security researchers like those at nso that do the research find the bug and then don't tell google they don't tell apple they don't tell microsoft they keep it for themselves in fact nso group has also been known to buy such bugs off people paying more than google would pay paying more than apple would pay and then keep that bug for themself now pegasus works using what's called zero-day vulnerabilities now a zero-day vulnerability is a bug that a group like nso group know about people know about but the authors don't know about so a bug that they know about that google don't know or they know about and apple don't know and it's called a zero day vulnerability because the vendor the author of the software has had exactly zero days in which it's been able to tackle and address and fix this particular problem why zero days because they don't know about it it's a hidden bug that some people know about but the manufacturer the oem the vendor the author doesn't know anything about it now when you have a hidden bug that you're able to exploit so first we need to find a problem then you need to exploit it and then using that exploit you want to gain privileges gain access that you can't normally have and that's what pegasus does it finds what are weaknesses in android devices in ios devices and then able to worm its way into that device and then bypassing the normal security bypassing the normal checks that apple and google have inside their operating systems it's able to kind of secrete itself in there and then start its spying activities and it will open up a network connection back to a server somewhere that's passing back the photos passing back the audio recordings so the people running it can actually then see and hear what's going on around the person that's being targeted everyone downloaded again that i'm not looking at the politics of this i'm not looking at the ethics of it or the morals of it i'm just looking at the technology now for pegasus to get onto a device it needs what's known as an attack vector there has to be a way in which the attack can be launched to target that device now the most obvious method for starting the attack is via a link so a link is sent via an sms or an imessage or a whatsapp message and then the user unbelievably clicks on it because they think it's to do with their banking or a credit card or something like that a delivery of a parcel even okay and then they click on it and in fact what actually happens it takes them to a website which then probably redirects them to somewhere more well-known like the uh their online bank or something but in that first redirect it actually started to download something onto their device and then that payload its job was to start to exploit the zero-day vulnerability unfortunately there are some examples what they call zero click exploits where they're actually able to target device without the user doing anything without even clicking on something back in 2019 there were some errors on facetime on the iphone that allowed pegasus to install itself just by initiating a call towards that device apple then did fix those errors but there was a period as far as understanding about three months where pegasus was able to install itself on devices and then the user had no idea they didn't even click on a suspicious link it just happened and of course that's why we have this kind of cat and mouse game between apple and google and so on and then the people like the nso group who are trying to find these exploits and these vulnerabilities and they're always trying to do one uh better than the other now let's look quickly at how you might be able to protect yourself against malware like pegasus however i will say to you from the beginning if you are being targeted by a government agency that has in its hands tools like pegasus or other tools that exist then there's pretty much little chance you've got of protecting yourself that's just a fact it might sound scary but that's actually how it is now there are a few things that you can do and the most drastic is toss your smartphone in the bin if you are involved in any kind of activity that could be targeted by a regime or a government that you are somehow talking against or doing something against then you need to toss your smartphone away because if by doing that you've taken away that level of access now they may have other tools at their hands you know old-fashioned feet on the streets and cameras and so on but in terms of your smartphone it's absolutely not a way forward another thing of course you can do is leave your smartphone at home when you go out so that way if you do go to meet somebody if you do go to a meeting if you do get involved in something then they're not able to track what you're doing from your smartphone because it isn't with you it's not being carried on your person and then maybe another possibility we do things like to disable the camera and there's a very famous video by uh edward snowden showing how you can literally just take the camera out of a smartphone so therefore if it ever does get infected it can't use that particular thing however that in itself is not a full protection because other things like your calls and your emails are also still exposed when using things like pegasus now if you don't think your life is in that much of a drastic danger from some kind of authoritarian regime then there are other things that you can do the most important is to always keep your phone up to date so when google or apple or other people do discover an error in their software they will release a patch and that patch will fix the problem and so whenever new versions come out of android whenever new versions of ios come out you need to upgrade your device now with apple that's fairly simple because apple support their devices within a certain window if you have a support device it will get an update with android it can be a bit more tricky some vendors are very good at sending out the updates others are a bit more lackadaisical if you really want to be sure then you get yourself a pixel phone from google because they are the ones that get the first update so you know you always got the latest and greatest now another thing that you can really really help is do not click on suspicious links never never be tempted don't look at it and go well maybe it's okay if there's even a tiny tiny doubt in your mind but why did you suddenly get that message why are they sending that message about this parcel that hasn't been delivered or this thing to do with your bank you didn't know anything about that don't click on it whatever you do don't click just delete the message if it's important you will get contacted another way by phone by by letter by whatever do not click on the link clicking on links is the biggest way that malware gets onto our devices and it's also worth pointing out if you are using an android device or you're using a an iphone that's been jailbreaked do not install third-party apps because you don't know what you're getting they may say oh this is just a mirror of you know angry birds but it's not it's actually a version of angry birds with something else built into it and you've got no guarantee no way of checking that what you're clicking on and downloading is actually the genuine thing it's most likely got some kind of malware in it and the worst case it could have something a sophisticated as pegasus in it and the last thing to mention is if you are an iphone user don't rest in a kind of complacency thinking that iphone is more secure than android it's not i have a video here on this channel from 2019 talking about how the chinese government was using iphones to target certain uh ethnic groups in china for exactly the same thing for spying and for seeing what they were up to now i've got a written article that goes with this and in that article actually look at the number of bugs critical bugs that are in ios that are in android and compare the two of them and while apple does do a better job in certain areas it's certainly not like you know zero versus a thousand i mean we're talking that both devices have had and always will have uh serious vulnerabilities that can bypass the most basic levels of the security and those are being used by pegasus for android and for ios to enable this spying by state sponsored surveillance groups and let's just bring this to a light-hearted end watch this clip and detective leave your phone on when you talk to congressman alan you can hear me all the time yes and i'm hearing rather too much of your lower intestine could you possibly move your phone from your belt to your jacket pocket okay so ultimately we don't need to lose our heads you're probably not being targeted however the fact that these groups are targeting normal people business leaders union leaders religious leaders and it seems to be their friends or their family then you do need to be at least aware that maybe if there is someone in your family that is a human rights activist a human rights lawyer then just because you're not that person doesn't mean that the government that's looking to get to them is not going to go through you and your device so always be aware what you're doing just be aware of it so that you know if you do get a suspicious link if you do see something funny on your phone you can think seriously about it don't ignore it but don't panic about it either okay that's it my name is gary sims this is gary explains i really hope you enjoyed this quick look at the pegasus malware and how it is used if you did please do give this video a thumbs up i also hope you're following me on twitter at gary explains and also have a newsletter which you might be interested go to gary explains.com type in your email address no spam just the newsletter okay that's it i'll see in the next one you
Info
Channel: Gary Explains
Views: 215,095
Rating: undefined out of 5
Keywords: Gary Explains, Tech, Explanation, Tutorial, Pegasus, The Guardian, Malware, Spying, surveillance, NSO Group, cyber-surveillance, Government sanctioned cyber-surveillance, Pegasus Project, 0-day, zero-day, 0-day vulnerability, 0-day vulnerabilities, 0-day exploit, Android, iOS, security, privacy
Id: -lZpLZgExfc
Channel Id: undefined
Length: 14min 24sec (864 seconds)
Published: Tue Jul 20 2021
Related Videos
Mobile Espionage in the Wild: Pegasus and Nation-State Level Attacks
Black Hat
97K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Edward Snowden - “Permanent Record” & Life as an Exiled NSA Whistleblower | The Daily Show
The Daily Show with Trevor Noah
5.1M
World Record Chain Fountain? The Mould Effect Explained
Steve Mould
1.2M
You Probably WON'T Be Able to Use Windows 11
Gary Explains
659K
Unleash Your Super Brain To Learn Faster | Jim Kwik
Mindvalley Talks
13M
Tesla D1 Chip - What is All The Fuss About?
Gary Explains
128K
Former CIA Officer Will Teach You How to Spot a Lie l Digiday
Digiday
14M
Narcissist, Psychopath, or Sociopath: How to Spot the Differences | Dr Ramani x MedCircle
MedCircle
10M
How Crash Bandicoot Hacked The Original Playstation | War Stories | Ars Technica
Ars Technica
2.9M
This is why we can't have nice things
Veritasium
12M
The Simplest Math Problem No One Can Solve - Collatz Conjecture
Veritasium
20M
Math Has a Fatal Flaw
Veritasium
14M
Edward Snowden: How Your Cell Phone Spies on You
JRE Clips
15M
Marty Lobdell - Study Less Study Smart
PierceCollegeDist11
15M
Apple M1 and new Macs - Everything You NEED to Know
Gary Explains
76K
If There is a Chip Shortage Then Why Not Just Make More Chips?
Gary Explains
153K
Professor Richard Wolff: Why the Economic Crisis Deepens | The New School
The New School
2.3M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.