Apple has issued an urgent global iPhone software update after an attempted hack with sophisticated spyware.
So what happened?
We’ve all received that intriguing email or text message with a link to redeem a prize or access information about a parcel delivery we weren’t expecting. Most “cybercrime-aware” people will chalk this up to another clumsy phishing attack and ignore it. But if you are UAE-based human rights lawyer Ahmed Mansoor, receiving such an SMS offering “new secrets” about detainees tortured in UAE jails, straight away means someone is probably targeting you.
In his line of work, Mansoor has very good reason to be more cautious than most, so instead of clicking the link Mansoor alerted security researchers Citizen Lab who carried out research. The collaborative investigation found a chain of zero-day exploits (previously unknown threats) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware.
“We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product”, Citizen Lab wrote in a report.
The researchers alerted Apple who acted very quickly to release a patched version, iOS 9.3.5, which is now available through a normal software update.
Why is this attack so serious?
This is the first time we’ve seen an iPhone remote jailbreak used as part of a targeted attack campaign in the wild. The iOS attack exploits three related zero-day vulnerabilities in iOS that have been dubbed “Trident” to effectively turn the victim’s iPhone into a spy gadget taking control of its microphone and camera for the purpose of snooping, as well as recording calls and logging messages from mobile apps and tracking movements via GPS.
The Trident vulnerabilities seem to have been skilfully exploited and packaged up with the Pegasus software making it a highly effective attack for targeted remote monitoring and data capture. The devices in our pockets are integral to our lives, we carry them everywhere and keep them within arm’s reach. The monitoring capability in Pegasus is unprecedented and worrying, but it doesn’t stop at surveillance. It appears to be able to dump passwords to your email and services as well as Wi-Fi routers meaning an attacker can go far beyond what’s on your phone and extract data from cloud services and gain access to protected Wi-Fi networks.
The Pegasus software appears to be a highly sophisticated and weaponized solution specifically developed by a fully commercial enterprise with the sole intention of building and selling tools to target mobile phones.
A lucrative business
Zero day flaws are traded among hackers, spy agencies and law enforcement networks looking to funnel information from devices. Technically sophisticated exploits are often required to enable the remote installation and operation of iPhone monitoring tools because the security is so tightly controlled so they can be and have been sold for millions.
Pegasus is not cheap with a price of $25,000 per target meaning it’s not made for the casual hacker or the motivated fraudulent adware developer. This level of sophistication is aimed at governments and corporate espionage customers with deep pockets and the need for this level of intimate surveillance and interception.
With that in mind, most of us can sleep at night knowing that this particular attack is almost certainly not aimed at us. It’s difficult to imagine anyone wanting to pay $25,000 to listen to my ramblings about the price of tomatoes and the quality of TV!
It is however, very interesting and chilling to realise that such commercial operations exist and that they are doing very well indeed.
What can we learn from this?
In this instance, Mansoor was clearly right to be worried about these text messages and we can be thankful he was diligent enough to take the attack to Citizen Lab.
He was smart enough to become suspicious but it’s unlikely he knew how sophisticated and targeted the attack was against him.
Many people may not think twice before clicking a link in a text message out of curiosity or trust in their devices and seemingly innocent SMSs they receive. This news shores up the thinking here at Wandera that often it only takes one tap for an attack to be successful.
While this particular attack is likely to only be targeted at high profile individuals with more valuable information to steal, it still shines a light on the danger of all phishing attacks and the fact that even a zero-day exploit typically starts with you.
Don’t trust everything that looks legitimate. If you’re not sure, don’t click on any links. And as always, keep your iOS updated with the latest version to protect yourself and your business against potential security exploits.