Everything you need to know about the Pegasus malware and how Apple responded.
Over the last few days Apple has pushed out updates to the release, developer preview, and public beta versions of iOS — that's iOS 9.3.5, iOS 10 developer preview 7, and iOS 10 public beta 6. All of them, on every carrier, for every region, at the same time. It was to patch a just-discovered set of malware and spyware called Pegasus, made and sold for upwards of a million dollars by a company called the NSO Group to nation-states that wanted to surveil dissidents and journalists.
It's not something most of us, our family, friends, and colleagues, ever need to worry about. But it's something we should all stay informed about.
Okay, back up, what happened and why am I reading about this?
A human rights activist in the UAE received a suspicious text message on his iPhone, had it investigated, and as a result Apple pushed out an update to patch three 0day exploits in iOS.
From Citizen Lab:
Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a "Nobel Prize for human rights"). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising "new secrets" about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based "cyber war" company that sells Pegasus, a government-exclusive "lawful intercept" spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.
The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits ("zero-days") that would have remotely jailbroken Mansoor's stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor's phone would have become a digital spy in his pocket, capable of employing his iPhone's camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.
We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find.
So they basically did a remote jailbreak on iPhones?
Yes. If you remember back to the very early days of iOS, there was a brief time when you could jailbreak the original iPhone by tapping on a link that brought up a TIF image in the mobile Safari browser. It's nowhere nearly that easy any more, but when you're dealing with millions of lines of code, and millions of dollars, bugs will happen and ways to exploit them will be found.
Here are the details on Pegasus from Lookout:
Lookout's analysis determined that the malware exploits three zero-day vulnerabilities, or Trident, in Apple iOS:
- CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel's location in memory.
- CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
- CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
So, in this case, the attack tried to trick the receiver into clicking a link found in a message. Once it gained entry, it would escalate until it had enough control over the iPhone to begin eavesdropping on communications.
Do I have to worry about this?
This attack was being used by nation states that could afford a million dollar price tag, and targeted at specific individuals including dissidents and journalists covering dissidents. If that doesn't describe you, there's very little to worry about.
That said, just like on computers, being safe means never clicking on links you get sent over messages or emails unless you're absolutely, 100% sure they're safe. It's the exact same way you avoid phishing attacks — attempts to con you out of your log in or other private information — and the same advice that's been given for decades.
That said, it's always possible someone else found the same vulnerabilities, or now that they're public, someone else will try to exploit them. So, it's still important to update immediately.
But shouldn't I always update?
Yup. Ignore the headlines and the hyperbole about this particular update and remember to download and install all updates. Apple is always issuing security improvements, bug fixes, and performance enhancements. So, it's best practices to always make sure you're always running the latest version.
Are you sure I'm getting the update?
Absolutely! Once of the biggest advantages that comes with owning an iPhone is that Apple has made sure the company can update every modern device, on every carrier, in every region, all at once.
In this case, it goes back to 2011 devices, including iPhone 4s and up and iPad 2 and up.
All you have to do is go to Settings > General > Software Update. For step-by-step instructions:
- How to update the release version of iOS
- How to update the developer preview of iOS
- How to update the public beta of iOS
Is Apple working to prevent this from happening again?
Apple, and every vendor, is working to make it as hard as possible for this to ever happen. They're doing it in several ways:
- Working with external security experts. Apple has recently announced a security bug bounty program to help independent researchers who find and responsibly disclose vulnerabilities in Apple's software.
- Reacting quickly when 0day exploits are found in the wild. Apple patched Pegasus quickly enough that the previous betas had barely shipped by the time the next versions were pushed out.
Security is all about defense in depth, and by doing all of these things, Apple makes iOS security increasingly deep.
What if I think I'm already infected?
If you think you might be a target for Pegasus, and might already be infected, you have a couple of options, including erasing your iPhone and restoring from a backup.
If you're really worried about the state of your device security, though, your best option is to buy a new iPhone from a trusted supplier and either restore a backup to that, or set up as new, sync back contact, email, and other personal information.
Wait, I have more questions!
Drop them in the comments below!