Apple products have a reputation for security, especially compared with the systemic security flaws baked into the Android update system (or lack thereof). In the world of device security, however, no one is ever perfect, and the critical flaws that Apple patched today underscore that point.
The details on how these flaws came to light are quite interesting. On August 10, UAE human rights activist Ahmed Mansoor received a text message from an unknown number offering a link described as “New secrets about torture of Emiratis in state prisons,” according to Motherboard. Instead of clicking on the link, Mansoor got in touch with security professionals — and it’s a good thing he did. The files waiting at the end of the link Mansoor received were a sophisticated malware package that leveraged three previously unknown bugs in the iPhone. Further investigation by Citizen Lab and Lookout indicated that the software exploits were likely written by the Israeli surveillance company NSO Group, a secretive organization that charges huge amounts of money — $8 million for 300 software licenses.
This isn’t the kind of software you use for general Trojan or malware attacks — it’s a sophisticated method of targeting specific people for surveillance. “It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls. It also basically backdoors every communications mechanism you have on the phone,” Lookout’s vice president of research, Mike Murray explained. “It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram—you name it.”
1. CVE-2016-4655: Memory Corruption in WebKit – A vulnerability in Safari WebKit allows the attacker to compromise the device when the user clicks on a link.
2. CVE-2016-4656: Kernel Information Leak – A kernel base mapping vulnerability that leaks information to the attacker that allows him to calculate the kernel’s location in memory.
3. CVE-2016-4657: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
Pegasus proved capable of gathering data from “iMessages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, Facetime, Calendar, Line, Mail.Ru, WeChat, Surespot, Tango, Telegram, and others.” In short, it completely broke the iPhone’s security model. Full details are available in a report from Lookout.
The Pegasus malware is exceptionally well-written and modular. It does not install suspicious software that the end user might notice — instead, once the phone is jailbroken, it introduces vulnerabilities that allow for spying functions into existing applications. It works on all iOS versions up to 9.3.4.
Pegasus even contains code that allows it to obfuscate messages delivered via SMS as two-factor authentication messages from Google, Facebook, and Evernote. Click on these messages, and Pegasus will update the command and control servers it attempts to authenticate to — and it can perform this function even if http and https connections aren’t available. The Pegasus malware also has the ability to self-destruct. If it believes it has been detected, it removes its own persistence mechanisms and file libraries.
This type of malware is often sold to authoritarian governments or three-letter agencies targeting specific people. It’s not the kind of thing you’d find on an ordinary password-stealing site or adware application. Apple has just released iOS 9.3.5 to plug these particular holes and we highly recommend you update your iPhone or iPad as soon as possible.