Pegasus worked as well as it did because it exploited a lot of “zero-day exploits”. To put it ELI5, 0-days are basically “god fucking dammit, we had this bullshit in our code? This exposes fucking everything. We need to patch it ASAP – and we woulda if somebody would tell us before”.
Please tone down my explanation for actual 5yos.
The thing is – it becomes more and more lucrative to just sit on the zero-days. The whole deal with the name is that you would sell the exploit and then other people would try to do their best in a tight window of time – hence 0-day. But recently some groups just aren’t all-in on insta profit, and that includes governments. There is no doubt that NSO Group already has replacements for their exposed 0-days – but that is just my opinion.
As far as we know the exploit used by Pegasus was patched by Apple in Sep 2023. Of course there may be people who haven’t updated their phone since then and are still vulnerable. Alternatively, there may be yet more bugs in the OS that nobody but the makers of Pegasus know about.
Software security overall is a cat and mouse game. Every large complex system has vulnerabilities. The good guys try to catch and fix them before the bad guys can catch and exploit them. Both sides are throwing an incredible amount of money and resources at their respective tasks.
Because the attacker and defender work on 2 very different security models.
The attack only has to find a single flaw within the entire system to gain control. The defender has to try and find every possible hole to make sure there is not a single gap. This puts the ball firmly in the attackers court as its beyond easy to over look something simple.
The difference is that pegasus is designed for one off, ultra high value targets designed and sponsored by people with a nearly infinite supply of wealth. They can hire some of the best security experts money can buy and turn that impenetrable wall of security into swiss cheese. Even if the one flaw they used is discovered, there is probably hundreds more waiting to be found
Latest Answers