Pegasus: “changing his phones” is not enough to protect the president

Gabriel Attal announced on France Inter the meeting of an exceptional Defense Council in reaction to the Pegasus Project. The spokesperson took the opportunity to clumsily justify the use of iPhone by President Emmanuel Macron.

This Thursday, July 22, government spokesman Gabriel Attal was the guest of France Inter on 6/9. If he came mainly to answer questions about the latest changes to the health pass, he was also asked to briefly comment on the revelations of the Pegasus project.

Initiated by Forbidden Stories and the NGO Amesty International, this survey brought together the efforts of 16 media, including Le Monde. In its series of articles, the French newspaper notably revealed that a phone number used by Emmanuel Macron since at least 2017 was part of a list of targets selected by Moroccan intelligence in 2019. Also in the file the number of then Prime Minister Édouard Phillippe and those of 14 other members of the government.

On the set of France Inter, Gabriel Attal announced that an investigation was underway to determine whether the designated numbers had indeed been infected, or at least targeted. He also said that an exceptional defense council linked to this case would meet this morning.

Then, when the journalist Carine Bécard asked her if the members of the government, and in particular the president, had shown ” lightness In their safety, the representative defended himself:

We do not discover the issue of cyber defense and cybersecurity (…) The President of the Republic, his phones are changed regularly, and there are a number of security settings that [les] protect, which are changed very regularly. With little time to elaborate, the answer seems simplistic, and it hides a much more complex device.

Several phones for several uses

As Le Monde reminds us, the president’s cybersecurity is mainly handled by the presidential administration (supervised by Anssi), but the DGSI can also intervene, as part of its counter-espionage missions.

For discussions relating to defense secrecy, the presidency has had access for more than 15 years to a specific telephone model, the Teorem, designed by the French company Thalès in partnership with the general armaments directorate. It is a clamshell phone, thick, with physical keys, the price of which was estimated in 2013 at 2,100 euros per unit by the Canard Enchaîné. Of course, it is not possible to install applications there, and the user does not even have the possibility to save his phone book. The precise characteristics of the device remain unclear until today, but it remains the only one capable of secret-defense communication.

In the anecdote contest with YouTubers McFly and Carlito, the president takes out his iPhone. // Source: McFly and Carlito

For discussions that are only “sensitive”, Emmanuel Macron has a specific Samsung model, equipped with CryptoSmart technology, developed by Ercom, a subsidiary of Thalès. The smartphone applies its own layer of encryption to conversations, and it contains a special chip allowing it to delete its content remotely in the event of loss. Supposed to serve as an everyday smartphone for the president and his entourage, it is neglected according to Le Monde. The additional security prevents the use of many common services such as the Google Doc document sharing system or WhatsApp messaging, and the president’s employees complain to the Parisian.

As a result, the president continues to use iPhones as smartphones on a daily basis. It has two, which are regularly analyzed by specialists. We can for example see a model in his hand in the video of youtubers McFly and Carlito at the Élysée. The problem ? In five years, NSO Group has discovered several critical vulnerabilities that allow its Pegasus spyware to easily deploy on victims’ iPhones.

With reasoned use, the risk is limited

This is where the arguments put forward by Gabriel Attal on France Inter meet their limits. First of all, changing your smartphone is only a precautionary measure, which only becomes really useful if the smartphone has been compromised. It will limit the damage, but the spyware will have already done part of its job: file theft, conversation spying, even sending SMS … As for ” additional security settings », Which are logically not detailed by Gabriel Attal, their effectiveness in the face of malware as sharp as Pegasus can leave doubts. To protect yourself from a threat, you need to know it in detail, and spyware doesn’t.

Of course, President Macron’s use of the iPhone is not necessarily catastrophic. If he makes wise use of the different phones at his disposal, he will not communicate any important information on his iPhone (if indeed some discussions of a president may not be important). And in the event of a hack, hackers would only have access to low-value information. On the other hand, if he uses it to talk about confidential or compromising information, he is exposing himself to a real risk.

It should be remembered that Pegasus is only the emerged face of a larger surveillance ecosystem, and he is far from the only threat hanging over the president. While some states use Pegasus or competing software because they cannot develop it their own tool in-house, the intelligence of the more powerful countries builds their own advanced spy software.

Tension between functionalities and security

The story of Macron’s phones is a prime example of the tension between functionality and security faced by any cybersecurity specialist. If the additional securities slow down the user too much in his use of the tool, then he will try to bypass them: since smartphones equipped with CryptoSmart do not allow enough applications, the president’s employees prefer to do without them.

The balance is far from easy to find. To drastically strengthen the security of the smartphone, it is ideal to do without the two main mobile operating systems, iOS and Android, which are therefore the most targeted by attacks. In other words, malware is developed to run on these systems, and hackers will have a lot of extra work to do if they want to target a third-party OS.

Problem: Doing without Android and iOS means being excluded from the App Store and Play Store, and having access to virtually no consumer applications. On the security side, this is not a bad thing: applications are as many entry points to your smartphone. For example, a vulnerability in WhatsApp was suspected of having been exploited to hack the smartphone of Amazon founder Jeff Bezos. But on the functionality side, the smartphone loses its digital Swiss Army knife side.

Last year, Foreign Minister Jean-Yves Le Drian explained that he did not use the government contact tracing app StopCovid (now TousAntiCovid), quite simply because he could not… install it on his smartphone. It was a sign that the former Minister of Defense is limited to the use of secure smartphones, unlike its president,

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *