Oddbean

What is Pegasus? Pegasus is targeted cellphone malware by the NSO Group sold to governments. It's regularly used against human rights activists. How can you stop Pegasus? Well, you can't stop it per say (except step 6 below). But you can reduce risk with SOME of the steps below: 1) GrapheneOS reduces buffer overflows with a hardened memory malloc 2) Always use a VPN for the DNS. Avoid trusting ISP DNS 3) Don't activate SMS from cell towers and use VoIP only via WiFi 4) Avoid a SIM card, then use an external WiFi FOSS router that you own such as: In your home: DD-WRT, Open-WRT, (w/) OPNSense or pfSense Tiny on the go: Rasberry Pi with OpenWRT, or GL.inet, You can put a USB modem on GLinet then you'd have portable WiFi access, but with physical isolation from the internet source. Then you only flow encrypted VPN traffic through the router. If you're too lazy to do this, then an external ISP-provided hotspot over in-phone SIM. 5) Pegasus can work off being sent a link. When your friends send you random website links on mobile, then look at it without JavaScript. Privacy Browser & Tor mobile both have a good toggle switches. (or look at it on PC) 6) You could consider a tiny PC w/ WiFi such as LattePanda or Rasberry Pi INSTEAD of a phone because these have no internal cell tower baseband modem. The default Pi distro can do Signal, or for example: lattepanda.com/lattepanda-sigma Some will think this is extreme, but you can only do SOME of the choices depending on your situation

Yes, eSIMs put it directly into your phone instead of an isolated third party source like a hotspot via WiFi. Now does that mean throw out your phone today? No, be aware of the risks and evaluate for your spesific situation.

No OS can completely prevent exploitation. GrapheneOS however has not been known to be vulnerable and nobody has claimed to have done. GrapheneOS has much more advanced exploit mitigations to protect against targeted attacks including hardened_malloc and hardware memory tagging support. Everyone on GrapheneOS has hardened_malloc and our other baseline exploit protections. hardened_malloc has great support for hardware memory tagging to provide a form of memory safety for memory unsafe code with a mix of deterministic guarantees and randomized general protection. Production hardware memory tagging is currently exclusive to GrapheneOS running on 8th Gen Pixels. OS wide inclusive of our browser/webview Vanadium. Our Auditor app can also be used to verify that it's a genuine GrapheneOS install. If an attacker does exploit the device, they need to persist their access through persistent data due to verified boot, and then exploit the device again on each boot from there. This means wiping data from recovery removes access. Auditor is there to help discover compromise. This makes Auditor useful for checking persistent state such as whether an accessibility service is enabled, which could be hidden from the user by the accessibility service if the user tried to check on the device itself via the Settings app, etc. You are more secure on GrapheneOS.