Mobile devices are essential parts of many people’s daily lives. Whether it’s an iPhone or Android, all of the user’s data is in included in one convenient package: GPS, contact list, camera roll, emails, passwords, messaging, social media, etc. Mobile users are discovering this week that their fingerprints, passcodes, PINs, and passwords aren’t enough to keep prying eyes away from their most sensitive information.
In 2010, Omri Lavie and Shalev Hulio co-founded NSO Group Technologies Ltd. They call themselves the “leader in the field of Cyber warfare.” Both men are believed to be previously involved with the top secret Unit 8200; Israel’s version of the United States’ National Security Agency. The NSO Group makes smartphone snooping technology used by governments…and anyone else with deep enough pockets. NSO’s premier product is Pegasus which allows the ability to eavesdrop and also remotely access the device’s phone or audio capabilities to spy in real-time. Pegasus targets three newly-exposed exploits in iOS, Apple iPhone’s operating system.
Rumors of Pegasus have swirled among privacy professionals for a while, but the sophisticated and nearly undetectable spyware product was first caught in August 2016 by two cyber research groups. United Arab Emirates human rights activist Ahmed Mansoor contacted Citizen Lab researchers in Canada after he received suspicious text messages including links to click.
Citizen Lab investigated with Lookout Security and confirmed Mansoor’s suspicions. The text was actually an SMS phishing attack and the sender number was spoofed. The links were zero-day attacks that would have compromised the iPhone immediately, jailbroken his iPhone, and installed spyware. The researchers named this attack Trident because of the three exploits it utilizes. According to Citizen and Lookout, those vulnerabilities are:
“1. CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
- CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
- CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.”
Citizen and Lookout researchers contacted Apple with their findings, and the security team immediately fixed the exploits and developed a patch for the current operating system. Apple urged its users to update their OS immediately. Earlier in 2016, the company announced it would pay out a bounty of up to $200,000 for evidence of software bugs.
Apple iPhones that haven’t been exposed to Trident are now protected. But evidence exists that Pegasus is still out there and threatens Android and Blackberry users. Citizen Lab reports the NSO Group’s aim is “[I]n general, we understand that it is more important that the source will not be exposed and the target will suspect nothing than keeping the agent alive and working.”
The Cloud Security Alliance Cloud Controls Matrix (CCM) is a guideline for cloud customers and vendors to determine a vendor’s risk. It specifically addresses mobility security (MOS) and the need for company devices to have controls in place that prohibit jailbreaking and others that allow for remote patching.
“The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations. Moreover, the company does NOT operate any of its systems; it is strictly a technology company.”
Two cyber security research groups, Citizen Lab and Lookout Security, first exposed a highly secretive spyware attack by NSO Group in August 2016. Pegasus, a spyware by Israeli firm NSO Group, turns mobile devices into digital spies with zero-day attacks. Researchers discovered the malware on a cellphone belonging to UAE political figure Ahmed Mansoor. Mansoor received a phishing text that included a link that would enable the attack. It takes advantage of three vulnerabilities, so researchers deemed it “Trident.” Apple immediately issued a patch for iOS users, but Android and Blackberry attacks are possible.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
Data Center Applications, Cloud Controls Matrix (Domain 8)
Application Security (Domain 10)