Trust is an interesting human instinct and as IT security professionals I often wonder if we are an overly suspicious bunch or if it is warranted. Yet something popped up in IT security circles last week with less of a fanfare than it deserves. Something which not only serves to keep me in a state of cynicism but demonstrates the just how sophisticated mobile exploitation has become.
On the 10th and 11th of August this year, Ahmed Mansoor, an internationally renowned human rights defender and advocate based in the UAE received some unwarranted SMS messages. Messages which offered information on human rights abuses in exchange for clicking on an attached hyperlink: spear-phishing at its finest. A man after my own heart, Mansoor didn’t trust these messages and forwarded them onto Citizen Lab researchers for further analysis.
What was discovered has been widely published under the exploit references:
- CVE-2016-4657: An exploit for WebKit, which allows execution of the initial shellcode.
- CVE-2016-4655: A KASLR bypass exploit to find the base address of the kernel.
- CVE-2016-4656: iOS kernel exploits that allow execution of code in the kernel, used to jailbreak the phone and allow software installation.
Such is the level of danger that these exploits pose, Apple released a fix just 24-hours later in the form of iOS v9.3.5. Let that be a friendly nudge to those who haven’t updated their iPhones yet.
Investigations into the hyperlink and the infrastructure facilitating it points to a privately owned company by the name of the NSO Group (Citizen Lab, 2016). Illusive to say the least, the NSO Group has no website and very little information exists about it, other than a group brochure which advertises that it sells cyber warfare solutions to military and homeland security organisations. In particular, a solution known as Pegasus is highlighted.
Available in two versions, a one-click flavour which sends a hyperlink in an SMS message; and a zero-click option which exploits Apple’s push notification service to open the hyperlink without user interaction. Both Mansoor and the world sighed in relief that in this instance, the exploiter chose the wrong version. If they hadn't, it may never have been made public. Once the hyperlink is opened through a chain of anonymisers, the handset is determined whether or not to be a fruitful target. If not, a non-malicious site is presented. If it is, then software is loaded on the handset.
Once the software is loaded onto the device, it is silently exploited so that the exploiting party can use all the typical functions of an iPhone to spy on the owner. The ability to take photos, invoke the microphone and record, read emails, take contact details and track location to name a few. In effect, a bug.
We probably shouldn’t be surprised that a human rights activist is a target of a government organisation and I will leave it to the readers of this blog to speculate as to the source. Cold War style spy tactics are always a popular topic of discussion but, to add an element of seriousness, never before has there been a known ability to jailbreak iOS remotely.
So as you suspiciously look at your mobile phone, just think…. your very own Trojan horse, carried around with you all-day and you wouldn’t even know it.