At the outset, I wanted to touch on the fact that I am recording the material in January 2022. This is important because security material has an expiration date, and at the moment, especially in this topic, things are changing like a kaleidoscope. That's why I wanted to emphasize this. Also, I wanted to mention that I completely want to leave out the moral aspects of who does whom? Who whom not? Who whom for what?
What does our own phone know about us and what can it therefore reveal about us? In a more or less legitimate way? For starters, the tools that the phone itself uses, which can be easily measured and communicated. Something that everyone feels and understands is GPS, meaning where are we? But also note not only where we are? But based on, for example, the history of our movement, which most of us more or less consciously report to Google, also the history in what, when? In what place? How long have we been? Location sensors, or, as it were, what position the phone is in? This may not be somehow super important from the perspective of the topic at hand, but it is useful to know that our phone knows that we are, for example, moving, or not moving because we are sleeping, or for any other reason.
Shock sensors can make a difference so that, for example, our phone knows whether we are walking or driving. This can also have its value as information. Light and image, this seems obvious. It has a camera, it can be turned on, it can preview something. Of course, as long as it's out of your pocket or off some shelf. Sound, or access to a microphone, I hope each of you already know that as long as you have Facebook installed on your phone, Facebook has a microphone on and analyzes what's going on around you all the time.
Basically, the goal is simple, the idea is to bug us maybe not so much, but to know what we are talking about. To get the ads right for us and sell us something we'll want to buy. Also, it's already happening, whether someone has Pegasus or no Pegasus, Facebook is listening.
A temperature sensor is probably a given. In applied cases, some of the phones have pressure sensors, or rangefinders. This is sort of unrelated to the topic, while it is worth mentioning. Much more relevant things are, not what does the phone know about us as such? Just what we more or less consciously put into its memory. For example, photos. From the photos, anyone with access to our phone is quietly able to guess or figure out what we own? What is our material status? What is our social status? Where do we live? Who do we hang out with? And that kind of information. And here also a reference to location. In addition to from the GPS itself, note that we ourselves push social media when we are, when we are staying with someone, who we are checking in with. This is also what we ourselves gleefully push to Facebook and similar social media, where and with whom we talk is also based on, for example, instant messaging. What are we talking about? Who do we talk to? How often do we talk? You can calmly infer from the network of contacts, what views might we have? What interests might we have? Who do we know? It's not even necessary to take over our phone, that's what social media does brilliantly.
Not just Facebook anyway, based on our interactions, likes, networks, contacts, based on how much time do we spend? How much time do we spend on any particular article? Quietly, but it is able to infer what views we have? What are we reacting to? What will stimulate our reaction, what will make us stay longer with the Facebook app. And that's exactly the point, to make us stay as long as possible, to see as many ads as possible. That's Facebook's primary goal, and it's no surprise.
Next. Shopping habits, because even if we don't buy on the phone, we usually scroll through all kinds of stores. This is also important information for someone who first of all wants to sell us the right product for us, which means whatever social media will want, will crave this information.
Access to banking applications, to credit cards, it's all on our phone, and it can all surface if only someone takes control of our device. Health status, well there you go, at least pedometers, heart rate, by which you can safely infer health status, how do we exercise? Are we exercising? Hardly, we can guess what condition we are in? After all, there are applications with which we ourselves enter all sorts of things like art sport, physical activity, or at least a calendar for women. They also quietly are able to analyze when we sleep? How well do we sleep? This is incredibly valuable information that we ourselves push into the hands of Google, Facebook, Apple, but they already know this, with this let's say we are more or less reconciled. On the other hand, let's pay attention to how much a set of such information can be worth? If someone cares to either harm us, or wants to know a lot more about us, about our habits, because for some reason they want to know the details of our lives. And this is where apps like Pegasus come into play. Because let's not kid ourselves, Pegasus is not the only app.
Hardly, I even make a logical error when talking about the Pegasus application, but about that in a moment. Therefore, let's imagine a market where, on the one hand, there are potentially dangerous people about whom we can get the whole set of information I just mentioned. On the other hand, all the three-letter services of very rich countries that are very, very keen to have a tool of this type.
And they should not be surprised or reprimanded for this, I think that under the right conditions such tools are very valuable and even we can say necessary. Pegasus in a sense became a victim, because in this industry you could say quieter you go, farther you go, it just got loud about it, it's unlucky.
On the other hand, we can rest assured that there is much more in such a market. Already, by the way, the names of the next systems are starting to surface officially, as we should rather call it, we should not call it any particular application. And how does it work? The point is that Pegasus and the like is a Hatch system. The point is that every device, every application, every software has vulnerabilities. Unpatched vulnerabilities, or bugs. If any, and there are bugs in any properly complex application, that can be exploited to get on the phone and take over, basically take it over. It's a matter of time to find something like that, for something like that to surface with the right level of code complexity.
So now yes, a programmer makes a bug, which is a vulnerability that can be exploited to take over a device. If only the programmer is able to figure it out for whatever reason, because they figure it out themselves, because an audit will show it, because some kind of hackers for some reason will release information that there is such a vulnerability and that it works, at that point the software developer creates a patch and sends, should send to the devices.
The vulnerability is valid until it gets on the device and is applied. This is very important. The patch is valid from the detection of anyone until it is loaded on the device and installed. Now that we know what an unpatched vulnerability is and how long it is valid, Let's move on to how it works? Because Pegasus and its similar systems are not a specific application at all, not a program at all. The way it works is that such an organization with a Pegasus system application under its control exploits a set of such vulnerabilities. Whether it finds them itself, or buys them from people who look for them on the open market.
It is kind of like such a system of hack on click. The operator of such a system gets some interface, pastes in a number and wants to get on our phone and already the system underneath will try to select the right vulnerability in a way that is unnoticeable most likely to the operator. Using the right vulnerability it will try to get on the device.
And it sort of stems from the fact that, in fact, neither the operator nor, more so, we, the potentially attacked, have any idea where the blow will come from. And now by the way, somewhat referring to software updates and also just patching vulnerabilities. And this is where things start to get a little complicated, because most smartphone users are Android users.
The oldest Android that still has support is Android 9.0, Android Pie. He is about 3.5 years old. What does this mean? It means that if you have a phone older than 3.5 years, or an Android older than 9.0, it means that in practice you no longer have support. They will come out, vulnerabilities, big threats, then in all likelihood no one will be interested in providing any updates on your phone to make it no longer vulnerable.
See how much danger this creates. A vulnerability discovered in slightly older phones, older than 3.5 years of Android, could end up staying there forever. That is, as if it is permanent, it could become a permanent item in the arsenal of a system like Pegasus. The situation is a little different if we start talking about Apple.
Here the situation looks much better on the one hand, because with a single click Apple is able to update the software on all its phones, and this is on the one hand a very good thing, because if a vulnerability comes out, Apple figures it out, is able to patch it and send it to all devices in no time.
Here note, the oldest phone with support is the 6S and 6S Plus. These are phones from, note, six years ago. It's pretty cool that even a five-year-old phone, for the moment, could be said to be relatively secure, in terms of known security vulnerabilities. I emphasize known. Pegasus and similar systems generally use unknown vulnerabilities, also it's not a matter of it being secure against them.
I'm just pointing out how the security issue on phones in general is. This makes Apple's environment very consistent. This has the very big advantage that, on the one hand, as I mentioned, we will be quickly patched to the phone, but it also means that all devices, or almost all devices, have the same programming, which means that if someone finds a security vulnerability in the system, it means that they are able to exploit it on virtually all devices with the bitten apple.
The situation paradoxically looks a little different in Androids because... Rarely any phone has pure Android. Most phones have Androids with overlays from their manufacturers, which is, on the one hand, a very big disadvantage because it makes it so that, as I mentioned Android support 3.5 years old Android still has support.
On the other hand, we still have to note that just because Android itself has support, it does not yet mean that the manufacturer will have the desire to send, because it is in the case if we have Androids with overlays from manufacturers, they are responsible for sending us updates. Hardly any vendor, hardly any smartphone manufacturer thinks and takes special care to update the software of phones two or three years old, especially if they are not flagships, but if they are some simpler devices.
This situation paradoxically can be an advantage. It is worth focusing on finding a hole in one environment, so that you automatically have access to many devices. On the other hand, if we have such a fragmented environment, that is, first of all, these androids are several, secondly, each manufacturer has its own overlay, that is, in practice, this system can be completely different.
Consequently, if we find ... a vulnerability in Android, it may turn out that it is no longer valid on another manufacturer's Android. Therefore, in a sense it may turn out, Not worth the effort, it may be impossible to find a universal vulnerability. Consequently, it may increase costs. I emphasize, may, I am not at all saying that this use of Android is in any way more secure or better, or recommended.
Now regarding how this happens, I mean there are two ways, logical two ways that someone can get on our phone. The first, we can divide it from this perspective into the way of getting with interaction, that is, for example, we get some message, email, link, whatever. And we click on it, and that's where the magic is already happening exploiting a weakness in either the communication application or the web browser or whatever.
On the one hand, we have a way of getting in that requires our interaction of any kind, and anyone who thinks and thinks that it doesn't apply to them may be quite wrong, because if the message is confidently well profiled, you may find that you have been waiting for a similar message. I emphasize, it must be really well profiled.
If you're the target of an expensive attack like Pegasus, for example, you're... That means you're worth a lot to the system, and it's really worth focusing on you to craft the message so that it turns out, for example, that you're waiting for it. Or it sounds plausible enough to you, or is even an actual message that was sent to you, and you click on it, the magic will happen in the background, and at the end you will be sent to a page, for example, with the information you either wanted or actually got.
And take note, no one realized what happened, and in fact you clicked on the wrong link. But that's why I emphasize, it can happen. The second way is to use, for example, one such way to get in was to use instant messaging. There were rumors of using both Whatsapp and iMessage.
The point is that our phone got a message that, taking advantage of a weakness, a vulnerability in this communicator, has already caused our phone to be taken over and the message deleted itself. That is, in practice, we were not able to notice anything that happened, and our phone is no longer our phone. On the other hand, we can also point out what is really not talked about much, that technologically, if we have taken control of a device to the point where we are able to pull out all this information that we have pulled out for ourselves as an attacker, then let's point out that just as effectively there is no technical counter to any information, any files, any data that should not be on our device being there.
In some magical way, information can appear on our devices with data that can testify that we did something we didn't do. Let's pay attention to how aggressive this is, because as if later our device can testify against us only no one will pay attention to the fact that it wasn't us who uploaded the data there, and the issue is really complicated and it's really not talked about much.
It only talks about extracting information. The next issue: how do we know that we were wiretapped? We can't know, why not,? For several simple reasons. As I mentioned it is a set of attacks, as if the whole wallet we have no idea from which side we got? That is, as if our system, our phone is no longer our phone but is a phone fully controlled by the attacker. The first task such an attacker will have in front of him is to hide, that is, as if If he took over our phone, if it worked as it should, he really knows what he is doing and can hide from the eye of the average user.
There is not the slightest possibility that any of us, with a simple layman's eye, can tell that something is going on. The systems are made that way, that's their main purpose, so that no one can figure it out. Keep in mind that these applications are expensive, these systems are really expensive, and there is a small limit to the number of devices that can be eavesdropped on at once, so it seems to be practice to go in on the phone, pull out all the information and leave, so as not to burden the license.
How trivial, right? But that's one of the things we can't tell because they're coming out of our system, with a broomstick they're obliterating those basic traces of their tambitiousness, and that's another argument for why we can't tell. As I mentioned before, if they're on our phone in quotes, they're someone who really knows what they're doing and they've already taken over our phone, it's no longer our phone.
As if we don't even have the right to think of it as our phone anymore, because full control is in the hands of someone who isn't us in any case, note that they can do a lot more with it, because we are limited by whether there interface or our knowledge of how the phone works? What can be done with it? Whereas the system that broke in there has both the knowledge and the capabilities, so at least we can't tell if something is going on?
How to prevent? Well, that's right, if you're looking for any simple way, trick, application or, horror of horrors, a link that will protect you from anything or inform you about anything, forget it, there is no such thing. I wonder when, by the way, there will be links under the title check if you are bugged with Pegasus? And on them Bach, either malware or Pegasus or some other application, it's such a song of the future let's say for the moment, but I think someone has already come up with it.
Now yes, a little bit if we want to defend ourselves in quotidian by home means, well, in practice we are a little bit at a loss. Which still doesn't mean, however, that we shouldn't get into the habit of doing certain things that can help us a bit, but if not even from this perspective, then in general from the perspective of hygiene in the use of similar electronic devices, mobile devices and that kind of thing, personal computers.
On the other hand, when it comes to security. However, let's note that ease of use is exactly the opposite pole of safety. That is, if something is extremely safe, it will be not always, of course, but in most cases extremely safe, it will be extremely unpleasant to use, and vice versa.
When it comes to such basic things, however, which everyone should do, and both from the phone or personal computer side. Of course, updating the system and applications. I've already talked a bit about this. One should always keep these patches up to date. On the one hand, as I mentioned, with older Androids, well, there is the trouble that these patches practically on their own in a way as if being a laird yourself in practice it is impossible for a three and a half year old phone and older to download these updates, and therefore here we are a little bit on the losing end, but when it comes to applications, let's update them, let's keep them up to date, because both in systems such as . Android or any other, there are vulnerabilities being found, but there are also vulnerabilities being found in applications, which can also be that attack vector through which someone will try to get in. And this indicates to us two things, that first of all these applications should be updated, then we just update according to, there pops up generally a notification that you have to, let's not be afraid to do it, let's do it, it's rather for our security, The second thing that immediately comes to mind is the number of applications, that is, as if by installing every application on your phone or computer we make ourselves upload a set of code to our device that is potentially hollow, that is, as if we open another potential gateway of entry to our device. Therefore, let's not install apps that we don't use, and God forbid that we don't know, that are from some link or outside the store, which doesn't mean that the ones in the store are safe. On the other hand, they have some sliver of security, and those from outside the store already....
It can be said that almost safe by definition are not. Clicking links, SMS, e-mails, pages is also some kind of minimum both on the phone and it always falls, but it has to fall, because at the end of it all anyway, sorry, and so with some campaign very many people click on all these links. Someone will say, but I have an encrypted communicator. Did I even encrypt my phone. Yes, great, that's a very good idea, it's always better to use encrypted communication than unencrypted, and I'm wholeheartedly in favor of that, only that, let's pay attention, I already said, if someone has taken over our phone, it's his phone, it's not our phone, that is, everything we have access to, the content, the messages, also has someone who has taken over our phone. So, as if encrypted communication or encryption of the phone is not the solution to this problem. It is a good habit, we should do it, but it is not the solution to this problem.
If one is paranoid, one can disable systems, in the sense of Wi-Fi, Bluetooths, data transmissions, locations. Just remember that if we are already infected, we disable it inclusive programmatically. Someone can turn it on programmatically, and as a result, it's poor security after the fact. If someone is already really going deep into paranoia, they can get themselves a non-smartphone. This is an interesting solution. Just remember one thing. Its eavesdropping on the one hand is very difficult, because there is no system that he click enters and reads all the information and historical and current and in a sense also future, because let's note that we also have calendars in our phones, so basically on the basis of getting into the phone you can infer where we will be in some time.
But back to that non-smartphone. On the one hand, this is a kind of security, but on the other hand, let's note that voice transmission over a cell phone is an ordinary radio, not encrypted in any way. That is, in practice, all that is needed is a device that is logically something similar to a phone. Which is able to listen to the radio waves of our phone and in principle is able to eavesdrop on both conversation and text messages without anything, since it is absolutely unencrypted communication. Also, this is one of the paranoid solutions. Next is the question of hygiene. The question is whether we need to keep things on the phone that we shouldn't keep there if we really want to hide something.
The next slightly paranoid way is to keep two devices. One for daily use, the other for communication, which for some reason should remain undisclosed. In practice, however, we count on the fact that whatever is on our device potentially with some probability can get out and that's it. And that's something you just have to come to terms with. If we really don't want any information to get out with the highest probability, if we don't want any information to get out, let's just make it on any electronic device that the Simple Way can get at, let's just not put it there.
But if one wants to be much more sort of secure from this perspective, it's already a really complex topic, and one would really have to set in motion a lot of paranoia, which could probably prove ineffective in the end anyway, because note that attacks of this type are attacks that no one knows yet except the creators of these attacks. Also, it just might turn out to be a lose-lose situation in advance.