Is your iPhone Safe?
Everything you need to know about the Pegasus malware and how Apple responded.
Over the last few days Apple has pushed out updates to the release, developer preview, and public beta versions of iOS — that’s iOS 9.3.5, iOS 10 developer preview 7, and iOS 10 public beta 6. All of them, on every carrier, for every region, at the same time. It was to patch a just-discovered set of malware and spyware called Pegasus, made and sold for upwards of a million dollars by a company called the NSO Group to nation-states that wanted to surveil dissidents and journalists.
Imagine clicking a link to a text message received from your iPhone and have seen that you do not care. Put it back in your pocket and peace. Yet from that moment someone theoretically could have taken total control of your device thanks to what has been called “the most powerful and sophisticated malware ever discovered in iOS”
It’s not something most of us, our family, friends, and colleagues, ever need to worry about. But it’s something we should all stay informed about.
How my Phone get infected?
Researchers at the Citizen Lab analyzed for now only the mechanism that leads to take control of the iPhone 6 and thanks to the analysis of this code have been able to point the finger at an Israeli Company. Who wants to take the smartphone control, exploits a bug in Safari that allows – through a malicious link – to execute a code that goes straight into the “heart” of your iOS. Here, two more bugs allow the attacker to eliminate any system protection and install malware “Trident” who begins to communicate with the server indicator. Not only: the virus is resistant even if you try to reset or update the device. Continuing to control everything.
Okay, back up, what happened and why am I reading about this?
A human rights activist in the UAE received a suspicious text message on his iPhone, had it investigated, and as a result Apple pushed out an update to patch three 0day exploits in iOS.
From Citizen Lab:
Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a “Nobel Prize for human rights”). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.
The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.
We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find.
Citizen Lab has not directly accused the Emirates of having ordered the attack on Mansoor with Pegasus, but it showed that in the past other cyber attacks on activists opposed to the regime – but also to journalists and public figures – have called into question the government . The dissident said to have been attacked in the past by software Hacking Team and Gamma. The question as always is global. Citizen Lab found that among the victims of this malware are also a Mexican journalist and a political minority party in Kenya and that the domain names set Pegasus seem to refer to targets in Uzbekistan, Thailand, Saudi Arabia and Turkey.
So they basically did a remote jailbreak on iPhones?
Yes. If you remember back to the very early days of iOS, there was a brief time when you could jailbreak the original iPhone by tapping on a link that brought up a TIF image in the mobile Safari browser. It’s nowhere nearly that easy any more, but when you’re dealing with millions of lines of code, and millions of dollars, bugs will happen and ways to exploit them will be found.
Here are the details on Pegasus from Lookout:
Lookout’s analysis determined that the malware exploits three zero-day vulnerabilities, or Trident, in Apple iOS:
- CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
- CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
- CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
So, in this case, the attack tried to trick the receiver into clicking a link found in a message. Once it gained entry, it would escalate until it had enough control over the iPhone to begin eavesdropping on communications.
Do I have to worry about this?
This attack was being used by nation states that could afford a million dollar price tag, and targeted at specific individuals including dissidents and journalists covering dissidents. If that doesn’t describe you, there’s very little to worry about.
That said, just like on computers, being safe means never clicking on links you get sent over messages or emails unless you’re absolutely, 100% sure they’re safe. It’s the exact same way you avoid phishing attacks — attempts to con you out of your log in or other private information — and the same advice that’s been given for decades.
That said, it’s always possible someone else found the same vulnerabilities, or now that they’re public, someone else will try to exploit them. So, it’s still important to update immediately.
But shouldn’t I always update?
Yup. Ignore the headlines and the hyperbole about this particular update and remember to download and install all updates. Apple is always issuing security improvements, bug fixes, and performance enhancements. So, it’s best practices to always make sure you’re always running the latest version.
Are you sure I’m getting the update?
Absolutely! Once of the biggest advantages that comes with owning an iPhone is that Apple has made sure the company can update every modern device, on every carrier, in every region, all at once.
What if I think I’m already infected?
If you think you might be a target for Pegasus, and might already be infected, you have a couple of options, including erasing your iPhone and restoring from a backup.
If you’re really worried about the state of your device security, though, your best option is to buy a new iPhone from a trusted supplier and either restore a backup to that, or set up as new, sync back contact, email, and other personal information.
OK, I HAVE MORE QUESTIONS