Yes, it had been, until Apple decided to plug it
a few days ago in what turned out to be an essential security patch that the Cupertino giant prepared in just 10 days. If you have been glancing through articles in the past days, let me put things down in perspective for you. Yes, your iPhone is vulnerable if it has not been updated iOS 9.3.5 and secondly it has been since iOS 7. This is all thanks to well-protected secret that nobody was aware of until an a 46-year-old human rights activist from the United Arab Emirates, received a strange text message from a number he did not recognise on his iPhone. The bait [caption id=“attachment_332141” align=“aligncenter” width=“640”]
Image: Ahmed Mansoor, Citizenlab[/caption] Had Ahmed Mansoor clicked on the link sent in via SMS (or iMessage), nothing would have been revealed and the company that provides the malware called Pegasus, would have continued to do its business undercover like it has been for a couple of years now. But malware attacks where not new to Mansoor. As reported
by Motherboard, the UAE national has already been the victim of government hackers who have used spyware products from companies like FinFisher and Hacking Team. Instead, Mansoor decided to forward that same message to Bill Marczak, a researcher at Citizen Lab
, a digital rights watchdog at the University of Toronto’s Munk School of Global Affairs. The chase Marzack along with Scott-Railton got on the job and confirmed the same. But the chase did not end with that. Both researchers followed the online trail tracing it to a server and an IP address that were earlier categorized in their database under Stealth Falcon, a hacking group. Soon enough they also found a server registered to an NSO employee who pointed to the same IP address. That company was the NSO Group and it had been dishing out copies of a sophisticated malware with a three-pronged approach that utilises three different unknown vulnerabilities in Apple’s iOS. Oddly, these were a well kept secret and have never been reported in the past. Citizenlab soon contacted Lookout Security
to take a deep dive. How “bad” is bad? Deeper into their research the companies concluded, that the spyware would use three known bugs, better known as zero-days in the iPhone and tagged it as the ‘Trident’. The first bug called CVE-2016-4657 is an exploit for WebKit, which allows execution of the initial shellcode. The second attack comes from a Kernel Address Space Layout Randomization (KASLR) bypass exploit to find the base address of the kernel. And once that is accomplished we have 32 and 64 bit iOS kernel exploits that allow execution of code in the kernel, used to jailbreak the phone and allow software installation. [caption id=“attachment_332120” align=“aligncenter” width=“506”]
Image: Citizenlab[/caption] So what can hackers do once all three have been executed (a process that barely takes a few second once the victim clicks on the link)? Well, researchers that malware can intercept “all data” inside of an iPhone. This would include full access to the phone’s files, messages, microphone and video camera, the operator is able to turn the device into a silent digital spy in the target’s pocket. Not impressed? Well, it can also check for calls made by the phone, WhatsApp, and Viber, SMS and data from apps like Gmail, WhatsApp, Skype, Facebook, KakaoTalk, Telegram, and others. It also had access to “A wide range of personal data, such as calendar data and contact lists, as well as passwords, including Wi-Fi passwords.” It’s almost like a spy in your pocket, in the most personal device you have ever owned. Impressed? There’s something bigger to add to this mess. Lookout Security pointed out that “spyware has been in the wild for a significant amount of time based on some of the indicators within the code (e.g., a kernel mapping table that has values all the way back to iOS 7).” A well-funded malware While Apple has finally fixed the Pegasus malware. What is shocking is that government organisations have been using the same for years. It has been used to target activists and the product has been sold in Mexico and Panama in the past. The NSO Group which operates from Israel was formed in 2010. In 2014, US private equity fund Francisco Partners acquired a majority stake in NSO for around $120 million. Soon enough Francisco was searching for a sale of the company that in 2015 was valued at around $1 billion. In the same year, Reuters had earlier pointed out
that the NSO Group had an annual revenue of approximately $75 million!