Apple on Thursday issued a patch that addresses three recently discovered critical iOS zero-day vulnerabilities, and advised users to update their systems immediately.
State-sponsored actors exploited the flaws to target United Arab Emirates human rights defender Ahmed Mansoor, and a Mexican journalist who reported on government corruption.
Researchers at the University of Toronto’s Citizen Lab and security firmLookout discovered the vulnerabilities, which they dubbed “Trident,” after investigating suspicious text messages sent to Mansoor.
The messages included links to an exploit infrastructure connected with NSO Group, an Israel-based cyberwar company that sells the spyware product Pegasus exclusively to governments, according to Citizen Lab.
The NSO Group, which developed Pegasus, is owned by private investment firm Francisco Partners, Citizen Lab said. It reportedly has offered to sell the NSO Group, which it has valued at US$1 billion. The firm previously invested in Blue Coat Systems, which sold products to repressive regimes to aid their mass surveillance and Internet censorship efforts.
“Apple’s response cements in my mind that it takes security seriously,” said Bobby Kuzma, systems engineer at Core Security.
“These are very complex exploits … and Apple has a patch out fixing them 10 days after it was notified,” he told TechNewsWorld. “That’s nothing short of miraculous.”
‘Grade A Scary’
The Trident vulnerabilities consist of the following:
- CVE-2016-4657 — an exploit targeting a previously undocumented corruption vulnerability in WebKit that allows execution of the initial shellcode;
- CVE-2016-4655 — a Kernel Address Space Layout Randomization bypass exploit to find the kernel’s base address; and
- CVE-2016-4656 — 32- and 64-bit iOS kernel exploits targeting a memory corruption vulnerability that allows execution of code in the kernel. They are used to jailbreak an iPhone and allow software installation.
“The jailbreak is the key here,” Core Security’s Kuzma noted. “Once you’ve broken out of the tightly compartmented application space in iOS, you can effectively and easily bypass all the security controls built into the device and the operating system. This is grade A scary stuff.”
Pegasus on the Loose
The spyware Trident implanted appears to be NSO’s Pegasus product, a highly advanced tool that makes use of zero-day flaws, obfuscation, encryption and kernel-level exploitation, Lookout noted.
Pegasus can use an iPhone’s camera and microphone to eavesdrop on activity. It can record the user’s calls over WhatsApp and Viber, logging messages sent in mobile chat apps, and track the user’s movements.
It includes a renamed copy of Cydia Substrate, a third-party app developer framework that facilitates recording of messages and phone calls from targeted apps, Citizen Lab said.
“Pegasus clearly shows the dangers of mobile devices [that] can be transformed into ideal tracking devices,” said Yair Amit, CTO of Skycure.
“While Pegasus is a sophisticated tool that’s likely to be used against specific victims, there are tools that allow attackers with minimal technical background to easily penetrate iOS and Android,” he told TechNewsWorld.
News of the zero-day exploits led Rep. Ted Lieu, D-Calif., who has a degree in computer science, to call for a congressional hearing on the issue of mobile security.