<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Speak up, your iPhone is trying to hear you

Topics: Espionage, Mobile Security, Social Engineering, Phishing, Exploit

Posted: 02 September 2016

Iphone_Lock_Screen.jpgTrust is an interesting human instinct and as IT security professionals I often wonder if we are an overly suspicious bunch or if it is warranted. Yet something popped up in IT security circles last week with less of a fanfare than it deserves. Something which not only serves to keep me in a state of cynicism but demonstrates the just how sophisticated mobile exploitation has become.

On the 10th and 11th of August this year, Ahmed Mansoor, an internationally renowned human rights defender and advocate based in the UAE received some unwarranted SMS messages. Messages which offered information on human rights abuses in exchange for clicking on an attached hyperlink: spear-phishing at its finest. A man after my own heart, Mansoor didn’t trust these messages and forwarded them onto Citizen Lab researchers for further analysis.


What was discovered has been widely published under the exploit references:

  • CVE-2016-4657: An exploit for WebKit, which allows execution of the initial shellcode.
  • CVE-2016-4655: A KASLR bypass exploit to find the base address of the kernel.
  • CVE-2016-4656: iOS kernel exploits that allow execution of code in the kernel, used to jailbreak the phone and allow software installation.

Such is the level of danger that these exploits pose, Apple released a fix just 24-hours later in the form of iOS v9.3.5. Let that be a friendly nudge to those who haven’t updated their iPhones yet.

Investigations into the hyperlink and the infrastructure facilitating it points to a privately owned company by the name of the NSO Group (Citizen Lab, 2016). Illusive to say the least, the NSO Group has no website and very little information exists about it, other than a group brochure which advertises that it sells cyber warfare solutions to military and homeland security organisations. In particular, a solution known as Pegasus is highlighted.

Available in two versions, a one-click flavour which sends a hyperlink in an SMS message; and a zero-click option which exploits Apple’s push notification service to open the hyperlink without user interaction. Both Mansoor and the world sighed in relief that in this instance, the exploiter chose the wrong version. If they hadn't, it may never have been made public. Once the hyperlink is opened through a chain of anonymisers, the handset is determined whether or not to be a fruitful target. If not, a non-malicious site is presented. If it is, then software is loaded on the handset.

Once the software is loaded onto the device, it is silently exploited so that the exploiting party can use all the typical functions of an iPhone to spy on the owner. The ability to take photos, invoke the microphone and record, read emails, take contact details and track location to name a few. In effect, a bug.

We probably shouldn’t be surprised that a human rights activist is a target of a government organisation and I will leave it to the readers of this blog to speculate as to the source. Cold War style spy tactics are always a popular topic of discussion but, to add an element of seriousness, never before has there been a known ability to jailbreak iOS remotely.

So as you suspiciously look at your mobile phone, just think…. your very own Trojan horse, carried around with you all-day and you wouldn’t even know it.

Ransomware Survival Guide Whitepaper

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts