After two recent news stories revealed that current versions of iOS can be compromised with a zero-click exploit used by the controversial Pegasus spyware, Apple has issued a security update that it promises closes the hole for all users.
There is some question as to how long it will last, however, as the Pegasus spyware has already cycled through several previously undiscovered exploits. Many of these involved iMessage, the target of the zero-click exploit that the recent security update addressed.
Security update puts an end to iMessage zero-click exploit
Forensic investigations of a number of phones believed to be targeted by Pegasus spyware have turned up signs of an iMessage zero-click exploit in recent months. Earlier this month, Citizen Labs was able to capture the exploit on a target phone (belonging to a Saudi political activist) and named it “FORCEDENTRY.” The zero-click exploit made use of Apple’s image rendering library to infect devices upon receipt of a message with a malicious PDF attached, even if the message was not actively opened and viewed.
Apple’s security update puts an end to this flaw, which Citizen Labs believes the Pegasus spyware has been actively exploiting since February of this year. Sold by the Israel-based NSO Group, the spyware is supposed to only be sold to democratic governments using it for legitimate law enforcement purposes. Recent investigative reports have found that to be far from the case, with an established pattern of Pegasus spyware appearing in the hands of everyone from dictatorships to Mexican drug cartels.
While security researchers often find traces that indicate the Pegasus spyware has been deployed (or attempted) on a target device, the last time code was actually captured was in 2019. At the time, Pegasus was still using phishing attempts to breach target devices; a human rights activist from the United Arab Emirates received a message containing a suspicious link, which he turned over to Citizen Labs for investigation.
Apple device users are strongly advised to ensure the security update is installed as soon as possible, as the current version of Pegasus leverages the new zero-click exploit to infect the target device even if the message is not opened. This also impacts all of the current versions of iOS, including the most recent.
Pegasus spyware tied to bad actors around the globe
It is unknown which NSO client deployed the malware that Citizen Labs intercepted, but NSO Group has a long and troubling history of selling the Pegasus spyware to bad actors around the world.
Aside from the investigations by Citizen Labs, the other major reporting on the Pegasus spyware this year came from the “Pegasus Project” headed up by Amnesty International and French journalism nonprofit Forbidden Stories. The project documented the hacking of 37 smartphones belonging to journalists, activists and government opposition party members among other clear non-criminal targets. These included the family of murdered Saudi journalist Jamal Khashoggi. Other disturbing incidents documented by the project include the tracking of political dissidents in India and Hungary, and a mass of tracked numbers in Mexico that may be tied to drug cartels illicitly obtaining access to the Pegasus spyware.
According to Hank Schless, Senior Manager (Security Solutions) at Lookout: “NSO has maintained the stance that the spyware is only sold to a handful of intelligence communities within countries that have been thoroughly vetted for human rights violations. Their proactive statements about the Citizen Lab is just another attempt at maintaining this narrative in the media. The recent exposure of 50,000 phone numbers linked to targets of NSO Group customers was all people needed to see right through what NSO claims.
Apple team quickly closes zero-click exploit
Apple’s team reportedly worked “around the clock” after the zero-click exploit story broke in early September, coming up with the security update in about a week. Patching the exploit out is vital not just due to the ease with which it can infect a device, but the total control it provides once it is active. The attacker can essentially see and do anything the legitimate owner of the phone can, including surreptitiously turning on the camera and microphone. Device users will automatically get the security update when they install iOS 14.8, MacOS 11.6 or WatchOS 7.6.2. Phones that are not updated continue to be vulnerable, and the vulnerability is thought to be exploitable back to the oldest models of iPhone still in service.
The security update from Apple closes a very serious hole, but it is very unlikely to put Pegasus out of business. The software has existed for about a decade now, and has rotated through various exploits that it seems to have obtained private access to through one means or another. The zero-click exploit that this recent security update closes off is a new development, and a very worrying one. A UN panel of human rights experts suggested in August that internationally agreed-upon regulations for the use of Pegasus spyware that NSO Group is subject to may be the only answer to curbing its abuse. The use of spyware is largely unregulated, and both sales and deployment of it are generally covered by non-disclosure agreements and classified materials status. It is difficult to tell how NSO would respond to increased scrutiny and regulation of its product, as the group cut off communication with the media in a huff after the Pegasus Project was published.
Nick Tausek, Security Solutions Architects at Swimlane, has some parting advice for organizations concerned about the seemingly inevitable re-emergence of Pegasus: “To prevent vulnerabilities such as this one from compromising employees and the organization’s sensitive data, companies should look to centralize and automate their current security threat detection, response and investigation protocols into a single platform. Automated detection and response workflows can help enterprises stop the otherwise hidden cross-pollination between personal device communications and access to sensitive corporate resources and information. By embracing comprehensive security automation, security teams can also free up time to keep up with the evolution of threat tactics, ultimately enhancing security preparedness.”
Chris Risley, CEO at smartphone security firm Bastille Networks, adds several best practices: “1)Establish and educate upon a corporate policy for all employees to leave cell phones outside of confidential meeting rooms for discussions of mergers, upcoming earnings announcements, new products, or trade secrets etc. 2) Require all visitors and meeting guests to leave their phones outside as well. 3) Don’t rely on the “Honor System” to enforce your policy, install a technology to detect and locate cell phones in all the areas in which confidential conversations occur.”