How does Pegasus work to infiltrate chats?

marcos-morar43:

That’s why E2EE doesn’t protect against a fully compromised device.

Exactly. E2EE only stops the mass surveillance that is exploiting servers and observing communications there. E2EE doesn’t help if your device is hacked or backdoored. Whether or not that constitutes as mass surveillance depends on how easy attacking endpoints is to automate.

There’s a few things that you can do. First, some messengers like Signal offer break-in key recovery where you need continuous presence on the endpoint, or continuous MITM attack with exfiltrated identity keys. Anything less than that and the double ratchet recovers and locks the attacker out.

You can also avoid becoming a target by hiding metadata about who you talk to. Cwtch is your best bet for that: Always routed through Tor, and you get excellent granular control over the Onion Service addresses you expose to your contacts, meaning you get to control what kind of social graph your accounts create. An attacker can’t go to talk to your friend and ask if this Cwtch address belongs to you, if you’re giving everyone a different Cwtch address.

After that it gets into endpoint security. The tldr of options you have is

1. Use reduced TCB like Yubikey to store your encryption keys. This doesn’t protect against hacker reading plaintexts from the endpoint though.

2. Use airgapped TCB, i.e. PGP with airgap. Hak5 has a fun video on this https://www.youtube.com/watch?v=D_xrlAGzQfs You’ll lose forward secrecy but the main problem of that is key compromise and if the attacker is unable to inject malware to the QR-codes, and unable to have the malware inject your keys into ciphertexts that you scan out, you’re safe. If the attacker can do that, you’re again SoL.

3. Use split airgapped TCB with unidirectional gateways. This just expands on the idea of airgapped TCB with two airgapped devices with split TCB, that prevents attacker from either accessing the encrypting device, or if they can do that, from getting keys/plaintexts out from the decrypting device. You can do that with PGP and for unidirectional data transfer, either “endless” supply of thumb drives or preferably, simple data diodes. For the latter there’s a better way. I’ve written TFC, (GitHub - maqp/tfc: Tinfoil Chat - Onion-routed, endpoint secure messaging system · GitHub) a chat system for this particular purpose.

The trade-off of adding endpoint security with isolation is your endpoint gets bulkier. Airgap takes two computers, TFC-like HW-setups require three computers. The bigger issue this brings is portability and day-to-day use, and to lesser extent, it looks more suspicious unless disassembled.