Citizen Lab (Munk School of Global Affairs, University of Toronto) and Lookout have uncovered three critical vulnerabilities in Apple’s iOS software that have been used to target human rights activists and journalists, including those from the New York Times.
Hacking Activists And Journalists
Ahmed Mansoor is an internationally recognized human rights activist and a “Martin Ennals Award Laureate,” which is sometimes called the “Nobel Prize for Human Rights.” He has been targeted for the third time by what is usually called “lawful intercept” spyware, which is malware purchased by governments to supposedly help them catch the “bad guys.”
Mansoor was first targeted with the tools of two infamous hacking groups that tend to sell their spyware to governments around the world, such as Gamma International (in 2011), and Hacking Team (in 2012).
More recently, Mansoor was targeted with spyware from the NSO group. This company has so far tried to stay under the radar, but it is otherwise well known to governments looking to purchase surveillance tools.
Mansoor received one strange text one day, from a number he didn’t know, which contained a link and the words “New secrets about torture of Emiratis in state prisons." Being a previous target of similar attacks, he sent the text and link to Citizen Lab and Lookout for analysis.
Upon reviewing the malware, Ronald Deibert, Citizen Lab Director, said:
“That a country would expend millions of dollars, and contract with one of the world’s most sophisticated cyber warfare units, to get inside the device of a single human rights defender is a shocking illustration of the serious nature of the problems affecting civil society in cyberspace," exclaimed Ronald Deibert, the Director of Citizen Lab.“This report should serve as a wake-up call that the silent epidemic of targeted digital attacks against civil society is a very real and escalating crisis of democracy and human rights,” he warned.
Citizen Lab found that NSO’s exploit infrastructure was also previously used against a Mexican journalist. The New York Times was recently hacked, and the attacker seemingly used NSO's spyware tools, as well:
“Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target’s mobile phone, was responsible for the intrusions. The NSO Group’s software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user,” wroteNicole Perlroth in the New York Times.
Pegasus And Trident
According to Lookout, the NSO’s “Pegasus” spyware, which is exclusively sold to governments as a “lawful intercept” tool, is the most sophisticated the company has ever seen deployed on an endpoint system. That’s because it can take advantage of how integrated mobile devices have become in our lives. They are always connected and have features such as voice communications, camera, email, messaging, GPS, passwords, and contact lists.
The Pegasus malware exploited three zero-day vulnerabilities in Apple’s iOS, which have been called “Trident:”
CVE-2016-4654: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
Trident allows Pegasus to become, in essence, a one-click jailbreaking tool. The malware is first sent through a text message with a link. When the victim opens the link, it loads up the browser, and then it exploits the vulnerabilities in the Safari browser and the iOS kernel.
Apple has long refused to allow other JavaScript engines on iOS other than its own, fearing that they would allow for easier exploitation of the device. However, even Apple’s own browser doesn’t seem immune. Worse yet, at least one of the three main bugs seems to have existed in iOS since version 7.0, so NSO’s customers had quite a long window of opportunity to exploit them.
The Pegasus spyware installs silently on the device, without the victims realizing they’ve been compromised. Apple released an update today (iOS 9.3.5) that fixes the Trident flaws, but those who have been already compromised will remain vulnerable. The Pegasus spyware persists even after its exploits have been made obsolete by security patches. It can also update itself with new exploits that can take advantage of new zero-day vulnerabilities.
Depending on what governments or corporate customers want, Pegasus can be configured to access messages, calls, emails, and logs from apps such as Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango and others.
All iOS users are recommended to upgrade immediately to version 9.3.5 by going to Settings -> General -> Software Update on their devices.
