Targeted, Persistent Spyware called Pegasus
A powerful mobile cyber espionage tool has just been identified and caught in the real world, outside of movies and security firm labs. And while we are dispelling myths, note that this exploit operates on Apple’s iOS, the “more secure” mobile operating system.
For a more detailed discussion, register for the live webinar on the Pegasus Spyware.
Your smartphone is the best surveillance and infiltration tool ever created. Smartphones have microphones, cameras and GPS, are used for every kind of communication, both personal and official, and are always on and always connected. A cybercriminal who can gain deep enough control of your phone can spy on you in every way 24/7, exposing you and any company or organization you are affiliated with to extortion or worse – at least in theory.
Today, again, we move from theory to reality. Foreign governments are really using smartphones to spy on high-profile individuals right now, using a product called Pegasus from the cyber offensive company NSO out of Israel. As with any weapon, there will inevitably be a debate about whether there should be greater regulation of such cyber warfare tools. But right now, people need to know how to protect themselves from it.
The short answer is that anyone with an Apple mobile device should immediately upgrade to iOS version 9.3.5, just released by Apple to address this threat. The longer answer is that there will be more tools like Pegasus, but there are things you can do to protect yourself.
What is Pegasus and how does it work?
First, let’s understand how Pegasus works and what it does. Pegasus exploits a combination of three vulnerabilities, referred to as Trident, that together provide persistent and unlimited access to all activity on the device. Code analysis indicates the original version was written for iOS 7, so this has been around for a couple of years. The first vulnerability gives the attacker low-level privileges, but requires the next two to gain Kernel access. The second vulnerability leaks information about Kernel configuration that makes it possible to inject malicious code into a specific location. The third vulnerability enables the attacker to gain persistent Kernel access. This can all be accomplished without the victim knowing the device is compromised.
Here is how the hack works:
- The user is sent a phishing URL by text, email or social media.
- The user clicks the link, loading it in Safari.
- The loaded URL contains code to exploit a Webkit vulnerability (CVE-2016-4657), causing Safari to execute privileged code.
- The attacker now has access to low-level privileges through the Safari process.
- iOS uses technology called kASLR, randomly locating Kernel code to make exploits harder. CVE-2016-4655 is a vulnerability that leaks pointers from the Kernel, allowing the attacker to bypass kASLR protections.
- The last vulnerability (CVE-2016-4656) allows the attacker to escalate their privileges to Kernel level and cause the spyware to be persistent on the device.
This means that all it takes is clicking on a link and the device is owned by the attacker without the victim being aware anything at all has happened. The attacker may now monitor every activity, location and all communications on the compromised device.
This exploit could also be accomplished through a Man-in-the-Middle or Captive network attack, where the attacker is using content manipulation and the victim does not even need to click on a link.
How to protect yourself from Pegasus and other similar threats
There is no sure way to avoid all threats, but there are things you can do to minimize your risk:
- Always be sure your device is running the latest version of iOS. For Pegasus, please upgrade to iOS 9.3.5.
- Never click on links unless you trust the person who sent it to you and you know the destination of the URL.
- Use a Mobile Threat Defense solution on all mobile devices – for protection and visibility of risks.
Skycure Mobile Threat Defense notifies its users of the availability of security updates the moment they are available, even if the notice from Apple will come days later. In the case of iOS 9.3.5, which patches the Trident vulnerabilities, Skycure users were notified to update before Apple issued an alert.
Visibility of risks is critically important to keeping your mobile devices safe. Although no security solution currently can prevent a successful Pegasus infection, Skycure will prevent the infection from doing harm by detecting the impact of such exploits in real-time, such as jailbreaking of the device and patching existing legitimate apps. In fact – and this is the most important thing of all – Skycure is the only solution that protected devices from the effects of Pegasus and the Trident vulnerabilities even before they were disclosed. Furthermore, Skycure will continue to protect devices and organizations from the harmful impact of Pegasus and the NEXT undisclosed threat, without the need to make any changes to the solution.
Learn more about Pegasus and protecting your organization from spyware by attending Skycure’s Pegasus webinar
Has your organization been infected by Pegasus? Get a free assessment today.