Three critical iOS zero-day vulnerabilities (collectively named Trident) can form an attack chain that subverts Apple's security to give complete control of an Apple device with just one click.
Ahmed Mansoor, a Dubai, UAE-based human rights activist, repeated on Radio 4 this morning how he received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails. The UAE government has previously taken Mansoor's passport away. In 2011, Citizen Lab research found that Mansoor was targeted with FinFisher spyware, and in 2012 with Hacking Team spyware. So when he received the unsolicited message he was suspicious and forwarded it to Citzen Lab, who, with Lookout, discovered the malware that would have been activated had he clicked on the link.
In this latest disclosure, uncovered by Citizen Lab and Lookout, the companies report that Trident is used by an organisation called NSO Group in its mobile spyware product, Pegasus, to attack high-value targets. NSO Group is an Israeli-based organisation founded in 2010 by Niv Carmi, Shalev Hulio, and Omri Lavie, to develop and sell mobile phone surveillance software to governments around the world. It was acquired by US private equity firm Francisco Partners in 2014 for US$110 million (£83 million) and is now reported to be worth about US$ 1 billion. The company says it only sells to official governments for lawful purposes.
Pegasus is highly sophisticated spyware that uses zero-days, obfuscation, encryption, and kernel-level exploitation - it has advanced quality assurance in its development and a self-destruct mechanism to help avoid detection - re-installing previous settings and files.
Lookout's analysis showed that the malware exploits the following zero-day iOS vulnerabilities:
· CVE-2016-4655: Information leak in AppleKeyStore - A kernel base mapping vulnerability that leaks information to the attacker that allows him to calculate the kernel's location in memory.
· CVE-2016-4656: Kernel Memory corruption leads to Jailbreak - 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
Apple's security team has worked with the companies and fixed all three zero-days in its 9.3.5 patch, released today. Users are advised to update to the latest version of iOS immediately.
SCMagazineUK.com spoke Max Bazaliy, staff security engineer at Lookout who explained that when Mansoor forwarded the message to Citizen, it was suspicious and forwarded it to Lookout which opened the kernel and in the obfuscated Java script file, saw links to low level malware. They then continued to the next part of the exploit, isolating the device from its command and control server using a VPN so as not to be detected, and thus avoid triggering the self-destruct.
Bazaliy told SC: "Different encryption algorithms were used for each part of the exploit downloaded; it was most surprising, the high level of technical detail in the exploits - really good work. It required expert knowledge of how the IOS kernel works. They really didn't want to be caught. Others (zero-day users) don't remove all the names and strings that link back to the author, but here they tried to stay hidden as much as possible with obfuscation used to make it harder to reverse engineer." But by decrypting the traffic in an isolated state the researchers were abel to see what was being sent, each step of the way.
Bazaliy told SC that it was the first use of zero days for a remote jail-break, saying, "Jail-breaking usually requires a lot of user interaction, and this is why this is so dangerous - it provides full rights without the user knowing. It presents the device going into a deep sleep and so it is always working, even in sleep mode. And it prevented the next upgrade from Apple, blocking updates."
Pegasus utilises the combination of features available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customisation with spyware capabilities including accessing messages, calls, emails, logs, and other data from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and others and can update itself to easily replace exploits if they become obsolete.
Lookout has issued an Executive Summary that provides an overview of the Trident vulnerabilities and NSO Group's spyware attacks as well as an in-depth technical report while a Citizen Lab's report details how attackers targeted human rights defenders.
In an email to SC, Guillaume Ross, senior security Consultant, Rapid7 commented: “What makes this specific type of attack particularly sophisticated is in the amount of vulnerabilities that had to be chained to make it a seamless attack requiring very little user interaction. This attack basically exploits an issue in Safari, exploits the kernel to effectively jailbreak the phone, and then persists on to the device. Jailbreak software is regularly released publicly, and exploits such vulnerabilities, but with a major difference: this software exploits the iOS device locally, over USB or such an interface, and not simply by clicking a link, though that has also occurred in the past.
“Detecting such an attack, for the user of an iOS device, would be extremely difficult after the fact. As seen in Citizen Lab's report, discovery of this attack occurred as Ahmed Mansoor forwarded the link meant to exploit his device.
“The issue was disclosed to Apple 10 days before the update was rolled out, according to Lookout, showing this vulnerability was treated as critical within Apple, who proceeded to the rapid deployment of the fix.
Ross also notes that WiOS 9.3.5 is already available, meaning the population of iOS users, using devices able to run iOS 9, are already able to obtain a fix, including devices as old as the iPhone 4s, released in 2011.
He adds that as iOS 10, with additional hardening, is to be released in the next few weeks, it is expected to achieve rapid adoption numbers. Between iOS 9.3.5, protecting devices now, and protecting a few models unable to obtain iOS 10 when it is released, and iOS 10, the overall amount of vulnerable devices should drop drastically in the next weeks and months.
Travis Smith, senior security research engineer at Tripwire agrees, telling SC in an email: "The typical iOS users will not differentiate between a major update and a security update. Unless there are reports of apps crashing or degradation of battery life, users will more than likely install the update.” He goes on to note how, “The fact that this particular exploit took advantage of three vulnerabilities to accomplish complete control shows how advanced and committed the authors are,'adding how', exploits eventually trickle down into less skilled hands who eventually target a larger audience.”
For David Kennerley, director of threat research at Webroot, the notable point was Apple's speed of response, telling SC in an email: “Apple's reaction to the flawed code in its iOS was commendable, taking only 10 days to patch and issue a software update. The fact that they have control of both the hardware and software operating on their systems – as well as the update mechanisms and cloud services behind these platforms – enables them to rapidly deploy patches to mitigate any newly discovered vulnerability or threat. This approach minimises risk for users of their handsets as they are exposed for as little as possible, provided users install the updated iOS in a timely fashion.”
John Madelin, CEO at RelianceACSN comments that for all the sophistication of this attack, “The truth is most hackers don't need to waste their efforts, time and money launching a complicated Zero Day assault on a company when a simple phishing email sadly still works just as well. Apple speedily fixed the flaw, but this really highlights the importance of proper security management – especially when many organisations fail to get the basics right.”
For Ronnie Tokazowski, a senior researcher at PhishMe, the issue was user-education, as he pointed out in an email to SC saying, “With the attacks on Ahmed Mansoor, he has been targeted by three different advanced hacking groups, who have received government funding. ... As a trained user, he was aware that the link may be malware, reported it to Citizen Lab, who then identified and collaborated with Apple to fix the vulnerability for the billion active Apple devices. This is proof that one person reporting one suspicious link can impact the industry worldwide.”
Mark James, Security Specialist at ESET observes that most people believe they have nothing of value to hackers so why should you worry about hackers, but points out that of course all our data has a value, names, address, bank details, even contacts. Therefore, while some people may see this is as just “another update” or even as unimportant, he urges, "believe me you want to install this as soon as possible. Security updates are the only way forward in keeping electronic devices safe, gone are the days when a well-known company would release an update that everyone groaned and waited to see the damage it caused before installing it yourself. Nowadays if there is a security update or patch you NEED to treat it with urgency and get it installed now not tomorrow.”
Bazaliy agrees, commenting to SC: "Apple made it a top priority to patch ASAP. Now that it is patched, the attackers would need a whole new set of exploits which would take a long time to produce. iOS 10 is coming out in September and Apple has done a lot of work updating security mechanisms which will make it much, much harder to repeat."