BlackHat EU: Undressing the Pegasus

News by Max Metzger

Three security researchers explained at this year's Blackhat, how Pegasus espionage software is used to surveil dissidents

A crowd gathered at BlackHat Europe 2016 to witness a sound undressing of the Pegasus malware. Presented by security researchers Seth Hardy, Max Bazaliy and Andrew Blaich, the talk explained how Pegasus worked, often to spy on human rights activists and dissidents.

The malware was first discovered attempting to SMS phish Ahmed Mansoor, a well known human rights defender in the United Arab Emirates and critic of the less-than-Democratic government there. Mansoor has been jailed before for supporting a pro-democracy petition. To boot, he is also regularly watched by UAE security services.

So it may not appear as a surprise when someone tried to send him an SMS claiming to have information on people being tortured in Emirati jails. Loaded within that SMS, was a link to Pegasus.

“One click on that link is all it takes for that phone to be completely compromised and your phone to be turned into a surveillance tool,” said Seth Hardy of Lookout as he presented his work. Typically, opening that link will open Safari on your phone, only for it to crash. After that, there will be no trace of Pegasus' passing: “the device is completely compromised with no evidence that any of it happened”.

This might be the first concrete sighting of Pegasus, but this is old hat for Mansoor. He's been targeted by Gamma's Finfisher software as well as Hacking Team, multiple times. “He gets a lot of this stuff,” said Hardy, “somebody is out there to get him and they're not afraid to throw lots of money at him.”

The group or individual targeting him has been called Stealth Falcon and has a long track record of targeting other critics of the Emirati government. In fact, 27 government critics, most of which are directly related to the UAE, have been targeted via Twitter using similar lures. Of those, six have been arrested or convicted in absentia.

Pegasus is made by the NSO group, an Israeli-based security company which has previously claimed its mission to be assisting, "authorised governments with technology that helps them combat terror and crime".

Hardy told SCMagazineUK.com that “companies like NSO have been selling indiscriminately - they say that they have a vetting process, the same argument that Hacking Team used but it ends up being used by governments with histories of brutal, awful, anti human rights (records).”

The malware itself is not particularly groundbreaking, it's just high quality espionage software. Pegasus jailbreaks the device, using three iOS exploits in a chain, dubbed Trident by researchers.

There are, however, several points of note within the malware. First, it takes great pains to remain undetected within the device. To that end, it blocks iOS system updates and clears mobile Safari history, leaving “no indication of where you went or what happened”, said Andrew Blaich and it erases itself to scrub any trace that it was ever there.

In terms of surveillance, it can record from the phone's microphone or camera, much like other kinds of espionage malware. It collects Sim card and cell network information as well as gather location data. It also gathers keychain passwords so it can log any secure network the infected phone has logged into.

On most iPhones, applications can spy on each other. What Pegasus does is jailbreak the phone in order to allow exactly that in a process called application hooking.  “There are few jailbreaks that have been made public out there” said Blaich, the last one was JailbreakMe version 3 in 2011, but that was entirely voluntary on the part of the user. Pegasus jailbreaks the phone remotely and without the user ever knowing.

“Remote jailbreaks in the public are extremely rare”, added Blaich, “it was always believed they were out there in the private”.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events