Experiment: anti-Pegasus box to keep spies away from my home
Journalists, activists, or minorities around the globe who are targeted by governments using high-tech spyware such as Pegasus have limited means to protect themselves. After recent revelations that ad networks are being utilized for spying and delivering payloads, one helpful solution could be DNS filtering, known as a Pi-Hole. Is it hard to set up, and how useful is it?
Outlawed Russian journalists, working in exile from Latvia, found their phones infected with Pegasus spyware. Adversaries needed zero user interaction to deliver, and deploy the malware, and exfiltrate the data. If it weren't for Apple notifications, no one would even have known about it.
A single webpage that you open online contains many, even dozens, of different applications tailored to track you, analyze you, serve ads for you, involve you in social activities, or even straight up be malicious. The same with apps on phones.
You may perform a little experiment yourself. Open this link, and check how your device treats such services. Does it block them from launching or let them run? If you use adblocker on your computer, you may see most of them blocked, but not on your phone. The phone just runs almost everything if the default browser is used.
And here, only 150 common services are tested, or 150 possible ways for spies to catch and track you online. Your Advertising ID can now probably reveal more about you than your government-issued ID, and ad networks are being used to target and deliver spyware. No wonder intelligence agencies around the world exploit those networks to hack devices and monitor the activities of their targets.
This was shown by Amnesty International in 2021. A recent Haaretz investigation revealed that Israeli cyber companies developed technology that has been sold to a non-democratic country. Zero-click exploits delivered via ad services leave victims clueless.
But could you actually do something to protect against Pegasus, Insanet’s Sherlock, or other cutting-edge spying technologies?
Could a 50-buck Raspberry Pi with Pi-Hole installed defeat multi-million purchases by intelligence agencies? Well, it could be a part of the solution, but it’s not a silver bullet.
The experiment: it is easy to set up, harder to maintain and tinker
I had a Raspberry Pi 4 2GB version lying around unused for a few years from previous experiments. It had even started to rust. Such microcomputers start around $50, but you also need a memory card (microSD), power adapter, case, and sometimes, a cooler.
Setting up a Pi-Hole is easier than I expected, but it still requires some tech knowledge for installing an OS, using the command line to deploy the software, and configuring the router.
I followed lengthy guides online and won’t repeat them here. Crosstalk Solutions made a really detailed one, also check the official documentation.
The operating system installation to microSD was seamless and only took a few minutes. I hooked up a monitor, keyboard, and mouse for booting, but it is possible to connect from other devices via SSH (Secure Shell, cryptographic network protocol) to set it up remotely.
In the terminal, the Pi-Hole install was also just a few copy-pasted commands and then pressing “OK,” “Continue,” or choosing some parameters.
I had more trouble setting up a static IP and then linking DNS queries to it in my router, as it did not like the DNS address in the same IP address range as a home network. But that was my error in internet settings and in setting up DHCP, a protocol that assigns downstream network settings to my home devices.
You want to set up really strong passwords to both Raspberry Pi’s OS and Pi-Hole, otherwise, it could itself become a vulnerability in your network.
Basically, install OS, install Pi-Hole software, set its IP as your DNS server in router, and devices, and it's running.
Use the same IP and “/admin” in the browser to log into your new filtering device to set up the filters.
My main fear – that the microcomputer would bottleneck my network – was completely unjustified. The old Raspberry Pi had more than enough for this task. It wasn’t even sweating, with plenty of RAM and CPU resources left.
One observation is that Pi-Hole’s interface looks really great, and I even found it useful for monitoring, to track which device does what in my network. Even at night, there’s plenty of activity going on under the hood.
The ultimate blocklist does not exist
What do yellowwildtiger.com, yummyfoodallover.com, whereismyhand.com, and mysuperheadphones.co have in common? These and many more domains were used for zero-day exploits or other payload deliveries. This wide network was discovered by Amnesty International’s Security Lab. You would miss nothing by blocking such sites.
Pi-Hole relies on third-party lists for ad blocking, dubbed Adlists. Adlists basically contain many domains. You could even enter a legitimate website that you wish to block.
One small list is included in the Pi-Hole “out of the box,” however, you are then left on your own to include what you want to filter out.
The online community has come up with many lists. There is even a “Pegasus Blocklist” based on Amnesty’s research.
However, adversaries usually create new domains for attacks. Therefore, old lists won’t protect you against future versions of Pegasus or other spyware.
I found a really great block list collection at firebog.net. Here, lists are categorized, updated, and maintained. You could even upload them all to your Pi-Hole, block millions of domains, and keep them updated.
I included about a dozen lists, a few from each category, and my experimental Pi-Hole was filtering almost a million domains that could be used to serve me ads, malware, steal passwords or personal data.
But there’s a cost. Some websites may not like that you limit their abilities for ad serving, so they may ask to “turn off ad blockers.” More is not necessarily better, as it may also include an increasing number of legitimate sites.
Also, once you leave your home, your phone connects to cellular networks, and your protection is gone – you have to rely on public DNS again and get all those lovely ads back. You have the option to expose your Pi-Hole to the whole internet and use it remotely, but then hackers may also find your little DNS solution useful.
And even then, Pi-Hole is not a complete solution. Putting all your faith in DNS filtering for security is like trying to stop a flood with a single sandbag.
You need more to do to protect against Pegasus
Even after all the setup, including numerous ad filter lists, the final result yielded less filtering than with a simple ad blocker. This is because browser-level filtering allows for a deeper level of exclusion, including various scripts.
But the tool is useful because you don’t have adblockers for your TV and smart fridge.
Now, even if you don’t load many potentially malicious domains, you still have to think about every other aspect of your digital life.
While a Pi-Hole can help to limit tracking capabilities, it’s not designed as a tool to target or block third-party cookies. You have to deal with them separately.
Protect your identity using a VPN. Every aspect of cyber hygiene should be maintained, such as strong passwords and MFA, updates, encryption, firewalls and antiviruses, and secure communication channels. You should also be cautious with suspicious links, emails, or messages, and not using public Wi-Fi, chargers, or other devices.
The list goes on with a secure browser, avoiding sharing sensitive information online, such as travel plans or personal details on social media.
And even then, you aren’t invulnerable, as new vulnerabilities are introduced every day, and you’re against threat actors that invest substantial resources.
Cybernews researchers’ take: each script counts – ads are an important attack vector
I asked the Cybernews research team’s insights on Pi-Hole.
“Using ad networks for malicious campaigns is not anything new. We’ve seen ad networks used for phishing, and downloading trojanized versions of legitimate software. It’s an attack vector that victims might not expect. Some services even force you to interact with ads before granting access to the service. Thereby, the potential attack surface encompasses almost every website or app that employs similar advertising practices,” the researchers said.
While useful for network-wide filtering, they also suggest combining Pi-Hole with ad-blocking add-ons or specialized software.
“When we’re talking about Pegasus, we need to understand that it’s often used by governments, which already have lawful interception methods at their disposal. It’s nearly impossible to prevent being spied on using these techniques. The best way to avoid being spied on via the phone would be to not carry it into sensitive events or use a faraday cage when the phone is not being used,” Cybernews researchers warned.
A malicious actor may easily find new DNS entries if they want to target you specifically.
What do researchers use themselves?
“We mostly use ad-blocking extensions, hardened browsers, caution when opening messages or links, activity segmentation (some actions or services are restricted to a specific device, meaning you never use that service on your phone, when you need to access that service, you go pick up the device you always use to access that service). VPNs that have adblocking features can help, but are not guaranteed to prevent spyware from getting in another way,” their comment reads.
The need is real
One could only wish that DNS filtering would come as a default option with our devices. However, this isn’t possible due to potential legal and regulatory concerns – it also could work as a tool for censorship.
What I’d really like to see as a Pi-Hole alternative would be a reputable NGO, or even a for-profit organization, maintaining a “nuke it all” DNS filtering server. Then the setup could be as easy as entering a few IP addresses to your phone and router to cover your home network.
I could really use a DNS server that doesn’t keep any records, is secure, and maintains filters for ads, trackers, malware, and third-party domains. Has anyone already done that? Share with me and others in the comments.
Comments
It’s like running pihole in the cloud and provides offnet protection for smartphones and much easier to setup for non-techies.
Your email address will not be published. Required fields are markedmarked