What you need to know
- With the NSO Group’s Pegasus spyware in the news of late, here’s how to check your iPhone isn’t infected.
- It’s very unlikely that you are, and the process of checking isn’t a smooth one.
You’re going to need to bust out Terminal.
With so much talk about NSO Group and its Pegasus spyware right now it’s important to remember that it’s very unlikely that you have been targeted. Still want to be sure? There’s a tool that can check, but it’ll take some work.
We know that 50,000 phone numbers belonging to journalists, government officials, and more are on a list of potential Pegasus targets and that’s all very scary stuff. Thankfully it’s unlikely most people will be anywhere near Pegasus or that list, but TechCrunch has detailed how you can go about being sure. It isn’t a fun endeavor and it’s going to involve cracking out Terminal, but it’s definitely doable.
The Mobile Verification Toolkit, or MVT, works on both iPhones and Android devices, but slightly differently. Amnesty said that more forensic traces were found on iPhones than Android devices, which makes it easier to detect on iPhones. MVT will let you take an entire iPhone backup (or a full system dump if you jailbreak your phone) and feed in for any indicators of compromise (IOCs) known to be used by NSO to deliver Pegasus, such as domain names used in NSO’s infrastructure that might be sent by text message or email. If you have an encrypted iPhone backup, you can also use MVT to decrypt your backup without having to make a whole new copy.
The toolkit works on the command line, so it’s not a refined and polished user experience and requires some basic knowledge of how to navigate the terminal. We got it working in about 10 minutes, plus the time to create a fresh backup of an iPhone, which you will want to do if you want to check up to the hour. To get the toolkit ready to scan your phone for signs of Pegasus, you’ll need to feed in Amnesty’s IOCs, which it has on its GitHub page. Any time the indicators of compromise file updates, download and use an up-to-date copy.
Once you set off the process, the toolkit scans your iPhone backup file for any evidence of compromise. The process took about a minute or two to run and spit out several files in a folder with the results of the scan. If the toolkit finds a possible compromise, it will say so in the outputted files.
Apple has been keen to remind everyone that most people don’t need to worry about Pegasus and that it’s a very sophisticated tool for gaining access to very specific devices. It could also do without a potential security scare ahead of the iPhone 13 announcement that will likely take place in September, too.