Dangerous, targeted iPhone attack nullified by Apple with iOS 9.3.5 patch

Posted:
in iPhone edited August 2016
More details have emerged about the need for the iOS 9.3.5 patch, which looks to have terminated a trio of exploits capable of a remote jailbreak and mass exfiltration of data from a target's iPhone, including device and account passwords.




A chain of events that started with a targeted attack on an activist's phone has led to the discovery of the assault package, delivered through a link embedded in a SMS message. According to Motherboard, unwary recipients who clicked on the link would be subject to a silent, three-pronged attack that would result in every contact in all of the target's communication data pilfered by the attackers.

The company blamed for the spyware and iOS malware delivery vector appears to be Israeli company NSO. The package, named "Pegasus" was solely crafted to infect an iPhone and exfiltrate all of the target's communications to a remote monitor.

The target of the attack was suspicious, and forwarded the information to digital rights monitor Citizen Lab, as well as mobile security company Lookout.
"The threats that they are facing today are threats that perhaps ordinary users will face tomorrow."
"It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls," said Lookout's Vice President of Research Mike Murray. "It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram--you name it."

The malware performs multiple tasks remotely with a single click. After the target clicks on the link with the "Pegasus" package, the iPhone is jailbroken, and the monitoring and data theft suites are installed.

Three zero-day vulnerabilities were discovered as a result of the misfired attack. The first is a vulnerability in Safari WebKit that allows the attacker to compromise the device if a user clicks on a link.

The WebKit flaw, coupled with an information leak in the Kernel problem, and an issue where Kernel memory corruption could lead to a jailbreak allowed for the entire attack method to be implemented against the discoverer, and one additional activist in Mexico.

Lookout claims that the payload delivered by "Pegasus" allows the attackers to access passwords, messages, calls, emails, and logs from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, amongst others.

Leaked NSO materials demonstrate what material can be stolen from a compromised phone.
Leaked NSO materials demonstrate what material can be stolen from a compromised phone.


Besides just stealing stored data, the malware also constantly updates GPS information and sends it to the command and control server, loads the iOS Keychain and dumps all the victim's data, steals credentials from every wi-fi network the user has connected to, grabs stored Apple router passwords, intercepts phone calls in real-time, and intercepts WhatsApp messages and calls unencrypted.

A compromised phone can also be used as a remotely actuated audio and video recorder.

The overall "Pegasus" package is not iOS exclusive, and can exploit flaws in Android and BlackBerry as well. It appears that the attacker must have some knowledge of platform that the targeted user utilizes to aim the attack, and develop a server-side payload delivery and data receptacle suitable to the device.

Based on some indicators in the code, the spyware's iOS variant is capable of infecting users on iOS 7 or above. Successive updates to the devices afflicted by the malware appear to have no effect on existing malware installations.

Citizen Lab and Lookout informed Apple of the vulnerabilities on August 15. Today's iOS 9.3.5 patch blocks the attack. Despite the severity of the attack, Lookout believes the vast majority of users will not be impacted by Pegasus at all given the "sophisticated, targeted nature" of the attack.

"Dissidents, activists -- these are kind of the people on the front-lines of what is to come for all of us tomorrow, these guys are sort of the canaries in the coal mine," Citizen Lab researcher Bill Marczak said. "The threats that they are facing today are threats that perhaps ordinary users will face tomorrow."
«1

Comments

  • Reply 1 of 36
    SoliSoli Posts: 10,038member
    I'm reading this is the first time this sort of access has been done on an iPhone, but I recall JailbreakMe from 2011 allowing for a jailbreak by simply going to a webpage. What am I missing.

  • Reply 2 of 36
    Mike WuertheleMike Wuerthele Posts: 6,897administrator
    The JailbreakMe was just a jailbreak, and had to be executed willingly by the user, and wasn't silent.

    It didn't take two more steps and compromise all your passwords and data on the phone at the same time.
    anton zuykov
  • Reply 3 of 36
    Soli said:
    I'm reading this is the first time this sort of access has been done on an iPhone, but I recall JailbreakMe from 2011 allowing for a jailbreak by simply going to a webpage. What am I missing.

    Well, it's a bit different than me wanting to jailbreak my own device and going to what I think is a legitimate site to accomplish that. I'm partner to resulting crime if it's not a legitimate host to JailbreakMe, or if the app has been compromised. This is different in that people are not asking to have their device jailbroken at all.
  • Reply 4 of 36
    SoliSoli Posts: 10,038member
    The JailbreakMe was just a jailbreak, and had to be executed willingly by the user, and wasn't silent.
    I don't understand what point you're trying to make.

    It worked by exploiting flaws down to the kernel, right? And it could have been used by the creator for nefarious purposes if they had chosen that route, like sending it as an SMS for someone to open, right? And the Cydia store that was installed had an installation that would fix the PDF exploit, to protect that user from any nefarious access with their exploit, right? So if you could access iOS 1.x–4.x, well before the device was encrypted, why are you suggesting it was impossible for JailbreakMe to steal data?
  • Reply 5 of 36
    SoliSoli Posts: 10,038member
    Soli said:
    I'm reading this is the first time this sort of access has been done on an iPhone, but I recall JailbreakMe from 2011 allowing for a jailbreak by simply going to a webpage. What am I missing.

    Well, it's a bit different than me wanting to jailbreak my own device and going to what I think is a legitimate site to accomplish that. I'm partner to resulting crime if it's not a legitimate host to JailbreakMe, or if the app has been compromised. This is different in that people are not asking to have their device jailbroken at all.
    You're comparing the intent of the hacker which is irrelevant. I'm wondering what the technical difference that makes The Verge state, "It's the iPhone's first remote jailbreak exploit."
  • Reply 6 of 36
    lkrupplkrupp Posts: 10,557member
    Soli said:
    Well, it's a bit different than me wanting to jailbreak my own device and going to what I think is a legitimate site to accomplish that. I'm partner to resulting crime if it's not a legitimate host to JailbreakMe, or if the app has been compromised. This is different in that people are not asking to have their device jailbroken at all.
    You're comparing the intent of the hacker which is irrelevant. I'm wondering what the technical difference that makes The Verge state, "It's the iPhone's first remote jailbreak exploit.”
    We are going to see greatly differing opinions on this depending on the pro or anti Apple bias of the source. Right now I would take any discussion of this with a big grain of salt. No one has yet explained how the malware gets on your iPhone. Do you visit a website? Do you install the malware package thinking it’s a legit app? Do you open an email? I seriously doubt it just arrives by itself with no user action. 
  • Reply 7 of 36
    SoliSoli Posts: 10,038member
    lkrupp said:
    Soli said:
    You're comparing the intent of the hacker which is irrelevant. I'm wondering what the technical difference that makes The Verge state, "It's the iPhone's first remote jailbreak exploit.”
    We are going to see greatly differing opinions on this depending on the pro or anti Apple bias of the source. Right now I would take any discussion of this with a big grain of salt. No one has yet explained how the malware gets on your iPhone. Do you visit a website? Do you install the malware package thinking it’s a legit app? Do you open an email? I seriously doubt it just arrives by itself with no user action. 
    The article notes, "...delivered through a link embedded in a SMS message." Because it's a link, it could have been an email, injected into another website, sent via iMessage, or any other way in which you get a user to open a hyperlink.
    brian greenstanthemanmagman1979
  • Reply 8 of 36
    volcanvolcan Posts: 1,799member
    I don't understand the part of stealing passwords. Aren't all passwords hashed these days?
  • Reply 9 of 36
    volcan said:
    I don't understand the part of stealing passwords. Aren't all passwords hashed these days?
    Apple does more than that.  They've got the Secure Enclave, uncrackable encryption and they've already released a patch to address the issue.  This is such a non-story when it comes to Apple that it's laughable.  The fact that this affects Android is the real story here as all those users are screwed.
    edited August 2016 kevin keelolliverwaverboyanton zuykovlostkiwi
  • Reply 10 of 36
    This quote alone bothered me:

    "It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls," said Lookout's Vice President of Research Mike Murray. "It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram--you name it."

    Secure Enclave or not, it's intercepting phone calls, texts, emails, contacts, FaceTime calls, and information from a multitude of apps.  How on earth did Apple not find something like this?  I understand that there's no such thing as a secure system and that every OS can be hacked, but to have all of that damage done without the user knowing about it from clicking on a link that may have been sent from a trusted friend, is a bit too much for me.  

    Yes, I've installed that patch, but I'm not at all pleased that Apple could allow everything to be so vulnerable that a single damn link could compromise everything.  I've been with Apple since System 7, and I'll remain with them for the long haul.  That said, I expected more of them and am extremely disappointed that exploits like this are even allowed.  But hey, they patched it.  Never mind what other exploits are out there that we're also not protected against.  
  • Reply 11 of 36
    SoliSoli Posts: 10,038member
    volcan said:
    I don't understand the part of stealing passwords. Aren't all passwords hashed these days?
    Sure, but that doesn't mean it's impossible to resolve a hash, resolve clear-text passwords (like from some poorly made 3rd-party app) to figure out your iCloud account password (for far too many people today), or intercept data (like with key logging) you think is being safely used.
    brian green
  • Reply 12 of 36
    gatorguygatorguy Posts: 24,387member
    volcan said:
    I don't understand the part of stealing passwords. Aren't all passwords hashed these days?
    Apple does more than that.  They've got the Secure Enclave, uncrackable encryption and they've already released a patch to address the issue.  This is such a non-story when it comes to Apple that it's laughable.  The fact that this affects Android is the real story here as all those users are screwed.
    Android users screwed? Hardly unless they would be likely targets of cyber-espionage. In addition Google will also probably patch for this too with their regular monthly security update. You are correct, it's pretty much a non-story. 

    EDIT: Never mind. This particular attack targets iOS only according to Lookout. But NSO is advertising they have other exploits available to government agencies that target Android and Blackberry, tho Lookout says their app users are protected from these exploits anyway. 
    edited August 2016
  • Reply 13 of 36
    gatorguy said:
    This particular attack targets iOS only according to Lookout. But NSO is advertising they have other exploits available to government agencies that target Android and Blackberry, tho Lookout says their app users are protected from these exploits anyway. 
    "The overall "Pegasus" package is not iOS exclusive, and can exploit flaws in Android and BlackBerry as well."
    magman1979lolliverredraider11
  • Reply 14 of 36
    Number one. This is a very sophisticated exploit by a company dedicated to the task of breaking into the OS and stealing information. This was not the work of an average hacker. This involved a substantial amount of money. 

    Number two. The break in still required that the user intentionally click on the link which exploited three zero day weaknesses in the software. 

    Number three. Both of the targets were intended high profile victims. Both were suspicious and neither clicked on the links. The Mexican journalist noted that whoever was sending him the links were getting ever more desperate but he never took the bait or clicked the links. The human rights activist from the UAE was also suspicious and brought the link to the attention of Citizen lab who then researched the link and worked out the exploit. It was brought to Apple's attention and the patch was available in days. 

    The link is here:

    http://motherboard.vice.com/read/government-hackers-iphone-hacking-jailbreak-nso-group

    This was not a hack that was ever meant to go public or into the "wild". It was meant to be clandestine and feed the info to the agency/agencies who paid NSO to do this. 

    The exploits have been patched and the company will have to start all over. They may find other exploits. But the more ominous question is what are they doing on the Android platform?

    magman1979lollivermacgui
  • Reply 15 of 36
    gatorguygatorguy Posts: 24,387member
    gatorguy said:
    This particular attack targets iOS only according to Lookout. But NSO is advertising they have other exploits available to government agencies that target Android and Blackberry, tho Lookout says their app users are protected from these exploits anyway. 
    "The overall "Pegasus" package is not iOS exclusive, and can exploit flaws in Android and BlackBerry as well."
    Yeah I know what the AI article said. Read the actual report as it says something different I believe.  And no it does not mean Android or Blackberry are any safer from cyber-espionage. It's just that this particular Pegasus exploit requires the "trident" vulnerabilities specific to iOS and wouldn't work on those other two systems. The company supplying the malware has other exploits for sale that target those OS'es. Same company supplying the government's spyware, different sets of (expensive!) exploits. 
    edited August 2016
  • Reply 16 of 36
    gatorguy said:
    gatorguy said:
    This particular attack targets iOS only according to Lookout. But NSO is advertising they have other exploits available to government agencies that target Android and Blackberry, tho Lookout says their app users are protected from these exploits anyway. 
    "The overall "Pegasus" package is not iOS exclusive, and can exploit flaws in Android and BlackBerry as well."
    Yeah I know what the AI article said. Read the actual report as it says something different I believe.  
    I don't believe it says something different.

    "It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry."
  • Reply 17 of 36
    Mike WuertheleMike Wuerthele Posts: 6,897administrator
    The iOS-specific implementation is called "Trident" owing to the three needed factors for execution.

    The overall cross-platform malware package is called "Pegasus." 
    badmonk
  • Reply 18 of 36
    jcs2305jcs2305 Posts: 1,338member
    gatorguy said:
    volcan said:
    I don't understand the part of stealing passwords. Aren't all passwords hashed these days?
    Apple does more than that.  They've got the Secure Enclave, uncrackable encryption and they've already released a patch to address the issue.  This is such a non-story when it comes to Apple that it's laughable.  The fact that this affects Android is the real story here as all those users are screwed.
    Android users screwed? Hardly unless they would be likely targets of cyber-espionage. In addition Google will also probably patch for this too with their regular monthly security update. You are correct, it's pretty much a non-story. 

    EDIT: Never mind. This particular attack targets iOS only according to Lookout. But NSO is advertising they have other exploits available to government agencies that target Android and Blackberry, tho Lookout says their app users are protected from these exploits anyway. 
    Besides the Nexus line of pure Android phones what other Android OS phone has monthly security updates?  I am not trying to start an IOS vs Android thing, this is a legitimate question.
    lostkiwibadmonk
  • Reply 19 of 36
    cnocbuicnocbui Posts: 3,613member
    jcs2305 said:
    gatorguy said:
    volcan said:
    I don't understand the part of stealing passwords. Aren't all passwords hashed these days?
    Apple does more than that.  They've got the Secure Enclave, uncrackable encryption and they've already released a patch to address the issue.  This is such a non-story when it comes to Apple that it's laughable.  The fact that this affects Android is the real story here as all those users are screwed.
    Android users screwed? Hardly unless they would be likely targets of cyber-espionage. In addition Google will also probably patch for this too with their regular monthly security update. You are correct, it's pretty much a non-story. 

    EDIT: Never mind. This particular attack targets iOS only according to Lookout. But NSO is advertising they have other exploits available to government agencies that target Android and Blackberry, tho Lookout says their app users are protected from these exploits anyway. 
    Besides the Nexus line of pure Android phones what other Android OS phone has monthly security updates?  I am not trying to start an IOS vs Android thing, this is a legitimate question.

    Samsung:
        Samsung will release monthly security updates on selected Samsung devices¹.
        Monthly security updates will include patches for Android OS related security issues released by Google, as well as, patches for Samsung-specific security issues.
        We encourage our users to keep their devices and apps up to date.

    Models for Monthly Updates¹:
        Galaxy S series (S7, S7 edge, S7 Active, S6 edge+, S6, S6 edge, S6 Active, S5, S5 Active)
        Galaxy Note series (Note 5, Note 4, Note edge)
        Galaxy A series (A5x)

    ¹ Models list may vary depending on regions and carriers.

      Samsung plans to expand the monthly updates to extended models in other regions and carriers in the near future.


    LG also:

    Big Android Makers Will Now Push Monthly Security Updates

    LG will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately. We believe these important steps will demonstrate to LG customers that security is our highest priority,” an LG representative told WIRED today in an email.
    https://www.wired.com/2015/08/google-samsung-lg-roll-regular-android-security-updates/

    All phone manufacturers should cease with allowing carriers any say in OS content or upgrades.  They should all offer security patches directly and customers should not have to wait for networks to get arounf to it, or not.

    Unlocked non-contract phones have long been popular in Europe.  I have never bought a locked phone.  Unlocked phones can get OS upgrades directly from the manufacturer as soon as they are offered.
  • Reply 20 of 36
    gatorguygatorguy Posts: 24,387member
    jcs2305 said:
    gatorguy said:
    volcan said:
    I don't understand the part of stealing passwords. Aren't all passwords hashed these days?
    Apple does more than that.  They've got the Secure Enclave, uncrackable encryption and they've already released a patch to address the issue.  This is such a non-story when it comes to Apple that it's laughable.  The fact that this affects Android is the real story here as all those users are screwed.
    Android users screwed? Hardly unless they would be likely targets of cyber-espionage. In addition Google will also probably patch for this too with their regular monthly security update. You are correct, it's pretty much a non-story. 

    EDIT: Never mind. This particular attack targets iOS only according to Lookout. But NSO is advertising they have other exploits available to government agencies that target Android and Blackberry, tho Lookout says their app users are protected from these exploits anyway. 
    Besides the Nexus line of pure Android phones what other Android OS phone has monthly security updates?  I am not trying to start an IOS vs Android thing, this is a legitimate question.
    According to articles certain Samsung models, Blackberry,  some LG models, a couple smaller players.. there may be others but certainly not very many at this point. 
Sign In or Register to comment.