Trisha Shetty (Editor)

Pegasus (spyware)

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit

Pegasus is a spy software installable on devices running certain versions of iOS, Apple's mobile operating system. Discovered in August 2015 after a failed attempt at installing it on a human rights defender's iPhone, an investigation revealed details about the spyware, its abilities, and the security vulnerabilities it exploited. Pegasus is capable of reading text messages, track calls, collect passwords, trace the phone location, and gather information from apps, including iMessage, Gmail, Viber, Facebook, WhatsApp, and Skype. Apple released version 9.3.5 of its software to fix the vulnerabilties. News of the spyware garnered significant media attention. It was called the "most sophisticated" smartphone attack ever, and became the first time in iPhone history when a remote jailbreak exploit had been detected. The company that created the spyware, NSO Group, stated that they provide "authorized governments with technology that helps them combat terror and crime". In the aftermath of the news, critics asserted that Apple's bug-bounty program, which awards people for finding flaws in its software, might not have offered sufficient rewards to prevent exploits being sold on the black market rather than being reported back to Apple.

Contents

Details of spyware

Pegasus is the name of a spyware that can be installed on devices running certain versions of iOS, Apple's mobile operating system. Upon clicking on a malicious link, Pegasus silently enables a jailbreak on the device and can read text messages, track calls, collect passwords, trace the phone location, as well as gather information from apps including (but not limited to) iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype.

Patch

Apple released iOS version 9.3.5 for its line of iPhone smartphone products in August 2016. Details of the update were fixes for the three critical security vulnerabilities that Pegasus exploited.

Discovery of spyware

The vulnerabilities were found 10 days before the iOS 9.3.5 update was released. Arab human rights defender Ahmed Mansoor received a text message promising ""secrets" about torture happening in prisons in the United Arab Emirates", along with a link. Mansoor sent the link to Citizen Lab. An investigation ensued with collaboration from Lookout security company that revealed that if Mansoor had followed the link, it would have jailbroken his phone on the spot and implanted it with the spyware. Citizen Lab linked the attack to a private Israeli spyware company known as NSO Group, that sells Pegasus to governments for "lawful interception". NSO Group is owned by an American private equity firm, Francisco Partners.

Regarding how widespread the issue was, Lookout explained in a blog post: "We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code" and pointed out that the code shows signs of a "kernel mapping table that has values all the way back to iOS 7".

Vulnerabilities

Lookout provided details of the three vulnerabilities:

  • CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
  • CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
  • CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.

    • News

    News of the spyware received significant media attention, particularly for being called the "most sophisticated" smartphone attack ever, and for being the first time in iPhone history when a remote jailbreak exploit has been detected.

    NSO Group comment

    Dan Tynant of The Guardian wrote an article that featured comments from NSO Group, where they stated that they provide "authorized governments with technology that helps them combat terror and crime", although the Group told him that they had no knowledge of any incidents.

    Bug-bounty program skepticism

    Russell Brandom of The Verge commented that Apple's bug-bounty program, which awards people who manage to find faults in its software, maxes out at payments of $200,000, "just a fraction of the millions that are regularly spent for iOS exploits on the black market". He goes on to ask why Apple doesn't "spend its way out of security vulnerabilities?", but also writes that "as soon as [the Pegasus] vulnerabilities were reported, Apple patched them—but there are plenty of other bugs left. While spyware companies see an exploit purchase as a one-time payout for years of access, Apple’s bounty has to be paid out every time a new vulnerability pops up." Brandom also wrote; "The same researchers participating in Apple’s bug bounty could make more money selling the same finds to an exploit broker." He concluded the article by writing; "It’s hard to say how much damage might have been caused if Mansoor had clicked on the spyware link. ... The hope is that, when the next researcher finds the next bug, that thought matters more than the money."

    References

    Pegasus (spyware) Wikipedia
    (Text) CC BY-SA