In July 2021, a consortium of journalists and researchers published the Pegasus Project, revealing the extent to which NSO Group's Pegasus spyware had been deployed against journalists, human rights activists, lawyers, and heads of state. The spyware exploited zero-click vulnerabilities in iOS and Android, meaning victims didn't need to click anything — receiving a message was enough. This wasn't a traditional data breach. It was the industrialization of surveillance through software supply chain exploitation.
What Pegasus Actually Does
Pegasus is a full-device surveillance tool. Once installed on a target's phone, it can:
- Read encrypted messages from Signal, WhatsApp, and Telegram
- Activate the camera and microphone without any visible indicator
- Track GPS location in real-time
- Harvest contacts, call logs, and browsing history
- Extract emails and calendar data
- Access stored photos and files
- Capture keystrokes and screen content
Pegasus is designed to leave minimal forensic traces. It operates in memory when possible, avoids writing to disk, and can self-destruct if it detects analysis tools. The sophistication of the software reflects years of development and millions of dollars in investment.
The Zero-Click Attack Vector
What makes Pegasus uniquely dangerous is its delivery mechanism. Early versions required the target to click a malicious link. By 2021, Pegasus had evolved to use zero-click exploits — attacks that require no interaction from the victim.
The most documented zero-click chain targeted Apple's iMessage:
FORCEDENTRY (CVE-2021-30860): Discovered by Citizen Lab, this exploit used a maliciously crafted PDF disguised as a GIF, sent via iMessage. The PDF exploited an integer overflow vulnerability in Apple's CoreGraphics framework. The exploit was processed automatically by the iMessage rendering engine before the user even saw the message.
The attack chain worked like this:
- Attacker sends an iMessage to the target's phone number
- The message contains an attachment with the exploit payload
- iOS automatically processes the attachment for preview rendering
- The exploit triggers, achieving code execution outside the iMessage sandbox
- Pegasus is installed silently on the device
- The original message is deleted to remove evidence
No link to click, no permission to grant, no app to install. The target's phone number was the only thing the attacker needed.
The Scale of Surveillance
The Pegasus Project investigation, led by Forbidden Stories and Amnesty International, analyzed a leaked list of over 50,000 phone numbers that had been selected as potential targets by NSO Group's clients. The investigation confirmed Pegasus infections on phones belonging to:
- Journalists from outlets including the Associated Press, CNN, Le Monde, and Al Jazeera
- Human rights activists across multiple countries
- Politicians including heads of state (French President Macron's phone was on the target list)
- Lawyers working on cases against authoritarian governments
- Business executives involved in strategic industries
NSO Group's clients included governments in Saudi Arabia, UAE, Morocco, Hungary, India, Mexico, and others. The company consistently claimed Pegasus was sold only to vetted government agencies for legitimate law enforcement and counter-terrorism purposes. The evidence told a different story.
The Supply Chain Angle
Pegasus represents a specific kind of supply chain risk: the weaponization of software vulnerabilities in trusted platforms. The attack doesn't target a third-party component in the traditional sense — it targets the operating system and built-in applications that users rely on.
Exploiting Trust in Platform Components
iMessage is a system application that ships with every iPhone. Users can't uninstall it. It processes messages automatically in the background. Apple's own code became the attack vector, and there was nothing users could do to protect themselves short of disabling iMessage entirely — which Apple made difficult by design.
The Vulnerability Supply Chain
Behind Pegasus is an entire ecosystem of vulnerability research and exploit development. NSO Group either discovers or purchases zero-day vulnerabilities in iOS and Android, develops reliable exploits, integrates them into the Pegasus platform, and sells the capability to government clients.
This is a supply chain of its own: vulnerability researchers sell to brokers, brokers sell to companies like NSO Group, and NSO sells operational capability to governments. Each link in this chain adds value and removes accountability.
Third-Party Library Exploitation
Some Pegasus exploits targeted vulnerabilities in third-party libraries used by iOS. The JBIG2 image decoder used in CoreGraphics, which FORCEDENTRY exploited, was originally a third-party component. This is classic supply chain risk: a vulnerability in an obscure image processing library becomes a weapon for state-level surveillance.
Apple's Response
Apple took several actions in response to Pegasus:
September 2021: Patched CVE-2021-30860 (FORCEDENTRY) in iOS 14.8, an emergency out-of-band update.
November 2021: Filed a lawsuit against NSO Group, seeking a permanent injunction to ban the company from using Apple products and services.
July 2022: Introduced Lockdown Mode in iOS 16, a feature that significantly restricts device functionality to reduce the attack surface. Lockdown Mode disables iMessage attachment previews, blocks most link types, restricts FaceTime, and limits other features that could be exploited.
Ongoing: Apple's Security Engineering and Architecture (SEAR) team significantly increased investment in iMessage security, including rewriting the attachment processing pipeline with stronger sandboxing.
The Bigger Picture
Pegasus is the most visible example, but it's not the only commercial spyware operation. Candiru (now Saito Tech), Intellexa, and Cytrox have all been linked to similar surveillance tools. The market for offensive cyber capabilities is growing, and the customers include governments with poor human rights records.
This has implications beyond individual privacy:
Press freedom: When journalists can be surveilled through their phones, source protection becomes impossible. This chills investigative reporting on corruption and human rights abuses.
Legal privilege: When lawyers' communications are compromised, attorney-client privilege is meaningless. This undermines the rule of law.
Democratic processes: When politicians are surveilled by foreign or domestic intelligence agencies, democratic governance is compromised.
What Organizations Can Learn
Mobile Device Security Is Application Security
Organizations that issue mobile devices to employees need to treat those devices as part of their attack surface. Mobile device management (MDM) solutions should enforce prompt OS updates, and organizations handling sensitive data should consider Apple's Lockdown Mode for high-risk users.
Zero-Click Means Zero User Responsibility
Traditional security awareness training focuses on teaching users not to click suspicious links. Zero-click exploits render this approach useless. Technical controls — prompt patching, sandboxing, attack surface reduction — are the only effective defense against this class of threat.
The Vendor Ecosystem Is a Battleground
When organizations evaluate software vendors, they're inheriting the security posture of every third-party library those vendors use. The JBIG2 decoder vulnerability that powered FORCEDENTRY was in code that Apple didn't write but distributed to every iPhone user on the planet.
How Safeguard.sh Helps
Safeguard.sh addresses the software supply chain risks that Pegasus exploits at scale:
- Deep Dependency Analysis: Safeguard.sh traces software components down to individual libraries like the JBIG2 decoder that FORCEDENTRY exploited, ensuring you have visibility into every layer of your software stack.
- Zero-Day Awareness: Through continuous vulnerability monitoring, Safeguard.sh alerts you when new vulnerabilities are disclosed in components you depend on, including system-level libraries.
- SBOM Generation and Tracking: Safeguard.sh generates comprehensive SBOMs that catalog every component in your software, making it possible to assess exposure when new exploits are discovered.
- Supply Chain Risk Scoring: Safeguard.sh evaluates the risk profile of your software dependencies, flagging components with known vulnerability histories or maintenance concerns.
The Pegasus campaign showed that even the most trusted software platforms can harbor exploitable vulnerabilities in their supply chain. Safeguard.sh provides the transparency needed to understand and mitigate that risk.