Threat from Pegasus Spyware Still Looms, Experts Testify

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
3 min read

Carine Kanimba, daughter of the imprisoned activist Paul Rusesabagina. She says her phone was infected with Pegasus spyware.


What's happening

Experts testified in front of the US House Inteligence Committee on Wednesday about the continued dangers related to the Pegasus spyware.

Why it matters

They say that government and the tech industry need to work together to better secure computer systems and put pressure on companies that sell commercial spyware to governments and others looking to abuse it.

Government and the tech industry must work together to protect US citizens from being targeted with commercial spyware like Pegasus, which last year was revealed to have infected the iPhones of numerous government officials, human rights activists, journalists and others, experts told the US House Intelligence Committee on Wednesday.  

In the rare open hearing, the committee heard testimony from John Scott-Railton, senior researcher for Citizen Lab, the University of Toronto-based research group that first discovered the spyware; Shane Huntley, director of Google's threat analysis group; and Carine Kanimba, an activist whose phone was targeted with the Pegasus spyware.

Kanimba is the daughter of human rights activist Paul Rusesabagina, whose efforts to save the lives of more than 1,000 refugees during the Rwandan genocide were chronicled in the movie Hotel Rwanda. A vocal opponent of that country's government, he's imprisoned in Rwanda after being convicted of terrorism-related charges last year following what his family calls a sham trial. The US government considers Rusesabagina to be "wrongfully detained." 

Kanimba, who is working to set her father free, says she was alerted to the possibility that her phone might be infected with Pegasus by a group of journalists last year. Forensics later confirmed those suspicions. She says that she has no doubt Rwanda's government was behind the surveillance and that she remains frightened about what it might do next.

"It keeps me awake that they knew everything I was doing, where I was, who I was speaking with, my private thoughts and actions," she told the committee. "Unless there are consequences for countries and their enablers that abuse this technology none of us are safe."

In a Thursday statement sent to CNET, the Embassy of the Republic of Rwanda in Washington, DC denied possessing or using the Pegasus software, adding that "these are politically motivated allegations aimed at undermining Rwanda's judicial system and sowing disinformation."

Cybersecurity experts have called Pegasus some of the most sophisticated surveillance spyware that's commercially available. It uses a "zero-click" exploit, meaning that it can infect a target's phone without the user having to actively do something like click on a malicious link or download an attachment.

"This isn't about sitting in a cafe and connecting to unsecured Wi-Fi," Citizen Lab's Scott-Railton testified.

"Your phone can be on your bedside table at two in the morning. One minute your phone is clean, the next minute the data is silently streaming to an adversary a continent away. You see nothing."

The spyware, which is delivered by text message, targets iPhones and allows those using it to silently access everything from a device's calls and texts to encrypted chats and the device's camera. Apple has since patched the exploited software hole.

While NSO may have sold the spyware to hundreds of governments around the world, there's no way to know for sure, Scott-Railton said. But based on the vast array of places it's been found and the variety of people who have discovered it on their phones, it's clear that the company wasn't particular about who it sold it to.

He urged the committee to take action against US pension funds that invest in companies like NSO, as well as countries that act as safe havens for those kinds of companies.

In November, the US government blocked the sale of US technology to NSO by putting the company on the government's Entity List. NSO has suspended some countries' Pegasus privileges but has sought to defend its software and the controls it tries to place on its use. 

NSO maintains that the spyware is only intended to be used by governments looking to pursue criminals or terrorists. But, last year, researchers started discovering it on phones belonging to activists, rights workers, journalists and businesspeople.

NSO didn't respond to an email seeking comment on Wednesday's hearing.

The most recent revelation is that Pegasus infected the phones of at least 30 Thai activists, according to a July Citizen Lab report. Apple warned those with infected phones in November.

To try to thwart such attacks, Apple has built a new Lockdown Mode into iOS 16, its iPhone software update due to arrive later in 2022, and into its upcoming MacOS Ventura.