On Thursday, researchers published evidence that an established private cyberarms dealer called NSO Group, whose clientele primarily comprises governments, has been selling masterful spyware that is delivered to mobile devices through a series of critical vulnerabilities in Apple’s iOS mobile operating system. Once established on a device, this tool, known as Pegasus, can surveil virtually anything, relaying phone calls, messages, emails, calendar data, contacts, keystrokes, audio and video feeds, and more back to whomever is controlling the attack. Apple says it has fully patched the three vulnerabilities, collectively called Trident, as part of today’s iOS 9.3.5 update.
“This is the first time any security researchers, as far as any of us are aware, have ever gotten a copy of NSO Group’s spyware and been able to reverse engineer it,” says Mike Murray, vice president of Lookout, the security research firm that discovered the spyware along with the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “They are a really sophisticated threat actor and the software they have reflects that. They are incredibly committed to stealth.”
Citizen Lab stumbled upon Trident and Pegasus after prominent human rights activist Ahmed Mansoor sent the group some suspicious SMS text messages he had received on his iPhone 6. Mansoor, who is based in the United Arab Emirates, has been targeted by lawful intercept surveillance software before, and Citizen Lab worked with him when his devices were compromised by FinFisher’s FinSpy malware in 2011, and Hacking Team’s Remote Control System in 2012. FinSpy and Hacking Team are similar businesses to NSO Group, selling spy tools to governments (potentially including oppressive regimes) for a premium.
“As a human rights defender in a country that considers such a thing as a threat, an enemy or traitor, I have to be more careful than the average person,” says Mansoor. “Nothing is surprising to me.” Masoor received two phishing texts messages, one on August 10 and the other on August 11. His iPhone was running the latest version of iOS at the time. Both messages read “New secrets about torture of Emiratis in state prisons,” and offered a link to see more information. “Such content was enough to trigger all the red flags with me,” Mansoor says.
He sent screenshots of the texts and the URL to Citizen Lab, where senior researchers Bill Marczak and John Scott-Railton used a stock factory-reset iPhone 5 running iOS 9.3.3, like Mansoor’s, to load the URL. All they saw was Apple’s Safari browser opening to a blank page and then closing about 10 seconds later.
After monitoring data the phone subsequently sent and received over the Internet, though, as well as the Web servers it was connecting to, the team started piecing together both how the attack works, and its origin. They recognized some features from other research they had been doing into cyber attacks targeting dissidents in the UAE. They also contacted Lookout for additional technical analysis.
The cascade of exploits begins by taking advantage of a vulnerability in Safari’s WebKit, the engine the browser uses to layout and render web pages. This then triggers a second stage, where the attack uses a bug in the protections surrounding the kernel (the core program in an operating system that controls all systems) to access the kernel, initiating the third and final stage of the attack, which exploits the kernel itself and jailbreaks the phone.
Jailbreaking an iPhone gives root access, which means that a user can make whatever changes he or she wants to a device. People sometimes jailbreak their phones intentionally so they can customize their user experience beyond what Apple will allow, but in this case the jailbreak was used to give a remote party access to the devices contents and activity.
Jon Clay, a cybersecurity and threat expert for Trend Micro, says that utilizing multiple exploits in an attack is common for most platforms. But since relatively few vulnerabilities are found in iOS to begin with (compared to platforms like Windows) it would be unique to see an attack sequencing multiple exploits. Notably, a group of hackers claimed a $1 million reward last year from the security startup Zerodium for delivering a remotely executable jailbreak for iOS.
When Citizen Lab and Lookout brought their findings to Apple, the company patched the bugs within 10 days. Apple said in a statement that, “We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits.”
NSO Group won’t be able to use this particular attack anymore on iPhones running the latest version of iOS—and one of the operating system’s strongest selling points is its high adoption rates for new versions. In the meantime, the Citizen Lab and Lookout researchers say that there is evidence that the group has ways to get Pegasus spyware onto other mobile operating systems, notably Android. Additionally, though Trident is a particularly elegant attack, NSO Group could have other strategies for delivering Pegasus to iOS devices.
The revelation that an iOS zero-day vulnerability has been up for sale also bolsters Apple’s case that law enforcement agencies like the FBI should not be able to force the company to create special access to its devices. Exploits already exist, and creating new ones only adds more risk.
Little is known about the Israel-based NSO Group, by design. Its LinkedIn profile says that it was founded in 2010 and has between 201 and 500 employees, but the company doesn’t maintain a website or post any other information. NSO Group’s nation state clientele includes governments like Mexico, which was reported to use its services in 2014 and seems to be an ongoing customer according to Citizen Lab and Lookout’s findings. Last fall, Bloomberg estimated the company’s annual earnings at $75 million, with its sophisticated exploits presumably commanding a hefty sum. The kind that governments can afford.
“One thing about NSO is that like Hacking Team and FinFisher, they represent themselves as selling lawful intercept tools exclusively to government,” says Citizen Lab Senior Researcher John Scott-Railton. “So that has the interesting feature that when you find it you can assume that you’re probably looking at a government actor.”
Meanwhile, even though this vulnerability has been patched, the next one likely won’t be far behind, especially given NSO’s seemingly advanced infrastructure.
“How many people are walking around with three Apple zero days in their pocket? Not very many,” says Murray of Lookout. “We see evidence of [NSO Group] having their own internal quality assurance organization. We see debugging calls—it looks like professional, enterprise-grade software. They have a full software development organization just like any enterprise software company.”
When their next release is ready, it seems likely that governments will be eager to buy.
Article by: Lily Hay Newman of WIRED