Dangerous, targeted iPhone attack nullified by Apple with iOS 9.3.5 patch
More details have emerged about the need for the iOS 9.3.5 patch, which looks to have terminated a trio of exploits capable of a remote jailbreak and mass exfiltration of data from a target's iPhone, including device and account passwords.
A chain of events that started with a targeted attack on an activist's phone has led to the discovery of the assault package, delivered through a link embedded in a SMS message. According to Motherboard, unwary recipients who clicked on the link would be subject to a silent, three-pronged attack that would result in every contact in all of the target's communication data pilfered by the attackers.
The company blamed for the spyware and iOS malware delivery vector appears to be Israeli company NSO. The package, named "Pegasus" was solely crafted to infect an iPhone and exfiltrate all of the target's communications to a remote monitor.
The target of the attack was suspicious, and forwarded the information to digital rights monitor Citizen Lab, as well as mobile security company Lookout.
"It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls," said Lookout's Vice President of Research Mike Murray. "It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram--you name it."
The malware performs multiple tasks remotely with a single click. After the target clicks on the link with the "Pegasus" package, the iPhone is jailbroken, and the monitoring and data theft suites are installed.
Three zero-day vulnerabilities were discovered as a result of the misfired attack. The first is a vulnerability in Safari WebKit that allows the attacker to compromise the device if a user clicks on a link.
The WebKit flaw, coupled with an information leak in the Kernel problem, and an issue where Kernel memory corruption could lead to a jailbreak allowed for the entire attack method to be implemented against the discoverer, and one additional activist in Mexico.
Lookout claims that the payload delivered by "Pegasus" allows the attackers to access passwords, messages, calls, emails, and logs from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, amongst others.
Leaked NSO materials demonstrate what material can be stolen from a compromised phone.
Besides just stealing stored data, the malware also constantly updates GPS information and sends it to the command and control server, loads the iOS Keychain and dumps all the victim's data, steals credentials from every wi-fi network the user has connected to, grabs stored Apple router passwords, intercepts phone calls in real-time, and intercepts WhatsApp messages and calls unencrypted.
A compromised phone can also be used as a remotely actuated audio and video recorder.
The overall "Pegasus" package is not iOS exclusive, and can exploit flaws in Android and BlackBerry as well. It appears that the attacker must have some knowledge of platform that the targeted user utilizes to aim the attack, and develop a server-side payload delivery and data receptacle suitable to the device.
Based on some indicators in the code, the spyware's iOS variant is capable of infecting users on iOS 7 or above. Successive updates to the devices afflicted by the malware appear to have no effect on existing malware installations.
Citizen Lab and Lookout informed Apple of the vulnerabilities on August 15. Today's iOS 9.3.5 patch blocks the attack. Despite the severity of the attack, Lookout believes the vast majority of users will not be impacted by Pegasus at all given the "sophisticated, targeted nature" of the attack.
"Dissidents, activists -- these are kind of the people on the front-lines of what is to come for all of us tomorrow, these guys are sort of the canaries in the coal mine," Citizen Lab researcher Bill Marczak said. "The threats that they are facing today are threats that perhaps ordinary users will face tomorrow."
A chain of events that started with a targeted attack on an activist's phone has led to the discovery of the assault package, delivered through a link embedded in a SMS message. According to Motherboard, unwary recipients who clicked on the link would be subject to a silent, three-pronged attack that would result in every contact in all of the target's communication data pilfered by the attackers.
The company blamed for the spyware and iOS malware delivery vector appears to be Israeli company NSO. The package, named "Pegasus" was solely crafted to infect an iPhone and exfiltrate all of the target's communications to a remote monitor.
The target of the attack was suspicious, and forwarded the information to digital rights monitor Citizen Lab, as well as mobile security company Lookout.
"The threats that they are facing today are threats that perhaps ordinary users will face tomorrow."
"It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls," said Lookout's Vice President of Research Mike Murray. "It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram--you name it."
The malware performs multiple tasks remotely with a single click. After the target clicks on the link with the "Pegasus" package, the iPhone is jailbroken, and the monitoring and data theft suites are installed.
Three zero-day vulnerabilities were discovered as a result of the misfired attack. The first is a vulnerability in Safari WebKit that allows the attacker to compromise the device if a user clicks on a link.
The WebKit flaw, coupled with an information leak in the Kernel problem, and an issue where Kernel memory corruption could lead to a jailbreak allowed for the entire attack method to be implemented against the discoverer, and one additional activist in Mexico.
Lookout claims that the payload delivered by "Pegasus" allows the attackers to access passwords, messages, calls, emails, and logs from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, amongst others.
Leaked NSO materials demonstrate what material can be stolen from a compromised phone.
Besides just stealing stored data, the malware also constantly updates GPS information and sends it to the command and control server, loads the iOS Keychain and dumps all the victim's data, steals credentials from every wi-fi network the user has connected to, grabs stored Apple router passwords, intercepts phone calls in real-time, and intercepts WhatsApp messages and calls unencrypted.
A compromised phone can also be used as a remotely actuated audio and video recorder.
The overall "Pegasus" package is not iOS exclusive, and can exploit flaws in Android and BlackBerry as well. It appears that the attacker must have some knowledge of platform that the targeted user utilizes to aim the attack, and develop a server-side payload delivery and data receptacle suitable to the device.
Based on some indicators in the code, the spyware's iOS variant is capable of infecting users on iOS 7 or above. Successive updates to the devices afflicted by the malware appear to have no effect on existing malware installations.
Citizen Lab and Lookout informed Apple of the vulnerabilities on August 15. Today's iOS 9.3.5 patch blocks the attack. Despite the severity of the attack, Lookout believes the vast majority of users will not be impacted by Pegasus at all given the "sophisticated, targeted nature" of the attack.
"Dissidents, activists -- these are kind of the people on the front-lines of what is to come for all of us tomorrow, these guys are sort of the canaries in the coal mine," Citizen Lab researcher Bill Marczak said. "The threats that they are facing today are threats that perhaps ordinary users will face tomorrow."
Comments
It didn't take two more steps and compromise all your passwords and data on the phone at the same time.
It worked by exploiting flaws down to the kernel, right? And it could have been used by the creator for nefarious purposes if they had chosen that route, like sending it as an SMS for someone to open, right? And the Cydia store that was installed had an installation that would fix the PDF exploit, to protect that user from any nefarious access with their exploit, right? So if you could access iOS 1.x–4.x, well before the device was encrypted, why are you suggesting it was impossible for JailbreakMe to steal data?
"It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls," said Lookout's Vice President of Research Mike Murray. "It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram--you name it."
Secure Enclave or not, it's intercepting phone calls, texts, emails, contacts, FaceTime calls, and information from a multitude of apps. How on earth did Apple not find something like this? I understand that there's no such thing as a secure system and that every OS can be hacked, but to have all of that damage done without the user knowing about it from clicking on a link that may have been sent from a trusted friend, is a bit too much for me.
Yes, I've installed that patch, but I'm not at all pleased that Apple could allow everything to be so vulnerable that a single damn link could compromise everything. I've been with Apple since System 7, and I'll remain with them for the long haul. That said, I expected more of them and am extremely disappointed that exploits like this are even allowed. But hey, they patched it. Never mind what other exploits are out there that we're also not protected against.
EDIT: Never mind. This particular attack targets iOS only according to Lookout. But NSO is advertising they have other exploits available to government agencies that target Android and Blackberry, tho Lookout says their app users are protected from these exploits anyway.
Number two. The break in still required that the user intentionally click on the link which exploited three zero day weaknesses in the software.
Number three. Both of the targets were intended high profile victims. Both were suspicious and neither clicked on the links. The Mexican journalist noted that whoever was sending him the links were getting ever more desperate but he never took the bait or clicked the links. The human rights activist from the UAE was also suspicious and brought the link to the attention of Citizen lab who then researched the link and worked out the exploit. It was brought to Apple's attention and the patch was available in days.
The link is here:
http://motherboard.vice.com/read/government-hackers-iphone-hacking-jailbreak-nso-group
This was not a hack that was ever meant to go public or into the "wild". It was meant to be clandestine and feed the info to the agency/agencies who paid NSO to do this.
The exploits have been patched and the company will have to start all over. They may find other exploits. But the more ominous question is what are they doing on the Android platform?
"It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry."
Samsung:
LG also:
https://www.wired.com/2015/08/google-samsung-lg-roll-regular-android-security-updates/All phone manufacturers should cease with allowing carriers any say in OS content or upgrades. They should all offer security patches directly and customers should not have to wait for networks to get arounf to it, or not.
Unlocked non-contract phones have long been popular in Europe. I have never bought a locked phone. Unlocked phones can get OS upgrades directly from the manufacturer as soon as they are offered.