Pegasus (noun) [Word Notes] - Hacking Humans

Summary5 min read

Podcast Summary: Hacking Humans – Episode: Pegasus (noun) [Word Notes]

Release Date: August 12, 2025
Host: N2K Networks
Description: Deception, influence, and social engineering in the world of cybercrime.

1. Introduction to Pegasus

In this episode of Hacking Humans, N2K Networks delves into the intricate world of Pegasus spyware—a sophisticated tool that has reshaped the landscape of cyber surveillance and privacy. Through insightful discussions, the hosts explore the origins, functionalities, ethical controversies, and the global ramifications of Pegasus, providing listeners with a comprehensive understanding of its impact on modern cybersecurity and human rights.

2. Understanding Pegasus and Its Origins

Rick Howard begins the discussion by breaking down the acronym "Pegasus," emphasizing its components to highlight the nature of the tool: "P as in program, E as in espionage, G as in glean, A as in ace, S as in spyware, U as in unseen, and S as in sophisticated" (00:15). Developed by the Israeli company NSO Group in 2011, Pegasus was initially designed to target iOS and Android devices. The NSO Group markets Pegasus exclusively to government entities, ostensibly to combat terrorism and crime. However, the tool's deployment has sparked significant controversy due to its misuse by authoritarian regimes.

3. Technical Functionality and Exploitation Methods

Pegasus is renowned for its ability to infiltrate mobile devices without any user interaction—a method known as a "zero-click exploit." This means that the spyware can be installed on a target's phone without them clicking on a malicious link or downloading an infected attachment. As Rick Howard explains, "Pegasus allows an operator to gain complete control over a targeted phone via a zero click exploit, an exploit that requires no user interaction in order to trigger the malicious code" (04:14).

A notable example of Pegasus's technical prowess involves exploiting vulnerabilities in messaging services. Google's Project Zero detailed how Pegasus targeted Apple’s iMessage by manipulating GIF files to access vulnerabilities in iOS's core graphics PDF parser. This exploitation leverages the old JBIG2 compression algorithm, which, when combined with specific vulnerabilities, can emulate complex computational operations, effectively turning a simple image file into a gateway for malicious code execution.

4. Ethical Implications and Cases of Abuse

While Pegasus was marketed as a tool to aid governments in fighting terrorism and crime, its deployment has often strayed into morally and legally questionable territories. The NSO Group has faced heavy criticism for selling Pegasus to authoritarian regimes that utilize it to surveil and silence activists, journalists, political dissidents, and other vulnerable groups.

A high-profile incident involved the Saudi Arabian government allegedly using Pegasus to monitor Washington Post columnist Jamal Khashoggi prior to his assassination in 2018. This case underscores the potential for Pegasus to be employed not just for security purposes but also as a means of oppression and control.

5. Government Responses and Regulatory Actions

The misuse of Pegasus has not gone unnoticed by the international community. In November 2021, the Biden administration took a significant stand by banning the NSO Group from conducting business in the United States. The administration cited the company's role in developing and supplying spyware that maliciously targeted various individuals, including government officials, journalists, businesspeople, activists, academics, and embassy workers (00:15).

Further escalating the situation, in December 2021, Al Jazeera reported that the NSO Group was contemplating shutting down its Pegasus unit and selling the company entirely. This development was a direct consequence of mounting pressure and the realization that Pegasus had irreparably damaged the company's reputation and business prospects.

Sam elaborates on the ramifications of these government actions, highlighting the ethical considerations and the broader implications for international relations: "Governments don't have to do anything. They just click the button and they're inside your phone... These are really intelligence tools that in the hands of governments that don't have a process to protect from the abuse of human rights, I should say, be very powerful tools for corruption and abuse and to suppress dissent and to clamp down on a free press" (04:14).

6. The Shift Toward Stricter Oversight

The Biden administration's decisive move to blacklist the NSO Group marked a pivotal moment in the fight against digital surveillance abuses. Sam notes that this action "destroyed their chances of [a] profitable exit" and served as a stern warning to other governments about the consequences of misusing spyware technology.

Moreover, internal deliberations within government agencies revealed ethical concerns regarding the acquisition of such powerful surveillance tools. As Sam mentions, the FBI "was considering buying Pegasus zero click spyware last summer and then didn't because of the questions around ethics and human rights abuses and some of the reporting" (04:14). This introspection signifies a growing awareness and reluctance within governmental bodies to engage with technologies that pose significant ethical dilemmas.

7. Conclusion and Future Implications

The episode concludes by reflecting on the delicate balance between national security and individual privacy rights. While tools like Pegasus can provide governments with powerful means to combat threats, their potential for abuse necessitates stringent oversight and ethical considerations. The NSO Group's predicament serves as a cautionary tale about the unintended consequences of exporting such potent surveillance technologies without adequate safeguards.

As technology continues to advance, the dialogue surrounding digital privacy, government surveillance, and human rights will undoubtedly persist. Hacking Humans underscores the importance of informed discourse and proactive measures to ensure that advancements in cybersecurity do not come at the expense of fundamental human freedoms.

Notable Quotes:

Rick Howard ([00:15]):
"Pegasus spelled P as in program, E as in espionage, G as in glean, A as in ace, S as in spyware, U as in unseen and S as in sophisticated definition."
Sam ([04:14]):
"Governments don't have to do anything. They just click the button and they're inside your phone."
"These are really intelligence tools that in the hands of governments that don't have a process to protect from the abuse of human rights... be very powerful tools for corruption and abuse and to suppress dissent and to clamp down on a free press."
"The Biden administration... blacklisted NSO group and basically destroyed their chances of a profitable exit."

Production Credits:

Written by: Tim Nodar
Executive Produced by: Peter Kilpe
Edited by: John Petrick and Rick Howard
Mix, Sound Design, and Original Music by: Elliot Peltzman

This episode of Hacking Humans provides a thorough examination of Pegasus spyware, offering listeners an in-depth look at its creation, application, and the ethical ramifications of its use. Through expert analysis and real-world examples, N2K Networks effectively illuminates the complex interplay between technology, governance, and human rights in the digital age.

Loading summary

Transcript5 lines

[00:02]
Sam
You're listening to the Cyberwire Network powered by N2K.
[00:15]
Rick Howard
The word is Pegasus spelled P as in program, E as in espionage, G as in glean, A as in ace, S as in spyware, U as in unseen and S as in sophisticated definition. The flagship product of the controversial Israeli spyware vendor the NSO Group, used for remotely hacking mobile devices, most notably iPhones, via zero click exploits. Example, the Pegasus spyware was silently deployed on the target's iPhone. Origin and context Pegasus is a spyware tool first released in 2011 by the Israel based company NSO Group. Designed for use against iOS and Android phones, NSL Group sells Pegasus exclusively to government customers with the stated intention of combating terrorism and crime. While Pegasus has been successfully used in these contexts, NSO Group has also been heavily criticized for selling it to authoritarian governments who have abused Pegasus to target activists, journalists, political dissidents and others. In one high profile incident, the Saudi Arabian government allegedly used Pegasus to monitor Washington Post columnist Jamal Khashoggi before his assassination by Saudi operatives in 2018. In November 2021, the Biden administration banned the NSO Group from doing business in the United States, stating that the company had developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics and embassy workers. End quote. In December 2021, Al Jazeera reported that the NSO Group was considering shutting down the Pegasus unit and selling the company. Pegasus allows an operator to gain complete control over a targeted phone via a zero click exploit, an exploit that requires no user interaction in order to trigger the malicious code. This is often achieved by exploiting vulnerabilities in messaging services, since unsolicited messages can be sent to the targeted devices using only their phone number. Google's Project Zero has published in depth blog posts explaining the functionality of a Pegasus exploit that targeted iOS's messaging service iMessage. The researchers found that the spyware exploited the way iMessage processes GIF files in order to gain access to a vulnerability in iOS's core graphics PDF parser. According to Google, a decades old compression algorithm called JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory using over 70,000 segment commands defining logical bit operators. They defined a small computer architecture with features such as registers and a full 64 bit adder and comparator, which they use to search memory and perform arithmetic operations. It's not as fast as JavaScript but it's fundamentally computationally equivalent. Nerd Reference In a February 2022 interview, Hurston Eichensur from the University of Virginia School of Law interviewed Nicole Pearlroth, a New York Times journalist and author of the book this Is how they tell Me the World the Cyber Weapons Arms race, published in 2021. Perl Roth covered many things, but touched on the Pegasus product.
[04:14]
Sam
Companies like NSO sell click and shoot spyware to government agencies. You would not need to have really any technical or hacking skills, but if you buy this product, you know, it's sort of like a push a button and you're in kind of thing. And for a long time, victims knew that they were getting targeted with NSO and would call me because they were getting strange SMS text messages that says, you know, your child's in danger, you know, or did you see your mention in this news headline? And people would click and it would take them to Galloso, which is a Mexican funeral website. Clearly they were clued on to something is weird here. Then there was this disturbing turn where NSO started selling a zero click capability, which means that there's no SMS text message, there's no warning. Governments don't have to do anything. They just click the button and they're inside your phone. They use zero day exploits to get inside your phone. And these are really intelligence tools that in the hands of governments that don't have a process to protect from the abuse of human rights, I should say be very powerful tools for corruption and abuse and to suppress dissent and to clamp down on a free press. Then what happened is in the Biden administration, there was just some great reporting from my friends at the Times, Mark Mazzetti and Ronan Bergman, that said, actually the FBI was considering buying Pegasus zero click spyware last summer and then didn't because of the questions around ethics and human rights abuses and some of the reporting. And then late last year in November, something happened that I never thought I would see, which was the Biden administration in really a remarkable breach with Israel. Our Israeli allies blacklisted NSO group and basically destroyed their chances of a profitable exit. They had been planning a $2 billion IPO, I think, and this destroyed any chance of that and also sent a really powerful message to governments elsewhere that, hey, we will act if you're caught selling spyware. Someone in your country selling spyware that's being used to abuse human rights.
[06:41]
Rick Howard
Word Notes is written by Tim Nodar, executive produced by Peter Kilpe and edited by John Petrick and me, Rick Howard the mix, sound design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.
[07:00]
Sam
Sam.