Security Bits Logo no alpha channel

Security Bits — 24 July 2021

Feedback & Followups

Deep Dive — NSO Group & Pegasus

In a well-orchestrated campaign, a group of 16 newspapers and Amnesty International broke a story detailing how spyware called Pegasus by Israeli grey-hat security company The NSO Group was used by government agencies around the world to spy on journalists, politicians, campaigners, and even the families of these people.

In this case, the story got some extra hype because 23 iPhones were hacked using a previously unknown zero-click iOS exploit. Most of the reporting focused on the cesspool that is the grey-hat security industry, with for-profit companies selling malware to repressive regimes on the promise that they won’t abuse it. A promise that has been repeatedly broken throughout the NSO Group’s history. Since the government of Mexico became their first acknowledged client in 2012 the software has been abused to spy on journalists and other inappropriate targets.

Versions of the Pegasus software have been around or a long time too, but it’s important to understand that it evolves rapidly. It’s a suite of software that does three things:

  1. Exploits mobile phones using whatever zero-day vulnerabilities the NSO Group currently have in their arsenal. The software attacks iOS and Android devices, and it doesn’t just use vulnerabilities in the core OS to get in, it will also leverage bugs in third-party apps when they’re available. Pegasus famously used a Zero-day in WhatsApp to break into phones in 2019.
  2. Gathers as much data as it can — depending on the available zero-days and just how deeply they can penetrate the phones the software gathers up location data, messages, photos, and can sometimes even enable the camera or the mic to spy on its victims directly. Again, this is not limited to core apps, popular messaging services are high on the list of desired data, especially those that encrypt their data really well while it’s in transit!
  3. Sneak the data out, or in security jargon exfiltrate the data.

All three parts continually evolve and change as the phone vendors and third-party app vendors find and fix bugs, and tweak their features.

The first stage probably varies the most, with Apple and Google regularly patching their OSes. Sometimes Pegasus will need to use spear-phishing to get in, but sometimes they can do it silently using so-called zero-click attacks — there are attacks that are invisible to the user and don’t depend on them doing anything. The most recent incarnation of Pegasus made use of a bug in iMessage to break into fully patched iPhones in a zero-click way. A message was sent to the victim’s phones that would silently exploit iMessage, take it over so the user never even got a notification that a message had arrived, and deploy the malware into the phone.

The data that can be gathered also varies over time as Apple and Google find and patch bugs, and add ever more security protections. Another thing that varies over time is how sticky the malware is. Apple and Google have put a lot of work into protecting the boot process on their OSes, so vulnerabilities that allow or persistent take-overs that survive a reboot are exceedingly rare, and it seems the most recent versions of Pegasus are indeed wiped by simply rebooting an infected phone.

The bottom line is that it’s a real cat-and-mouse game, it has been going on for years, and it will go on for many more years to come!

This product entirely depends on the NSO group knowing about vulnerabilities Apple, Google, and other app vendors don’t know about. Those are expensive to acquire, and they have a finite shelf life. Every time they are used they risk being discovered and patched. This is why the number of phones discovered to be actually exploited is so small.

The ultimate effect of these economics is that the specific danger to regular folks is very very low, but the societal impact of a small number of well-targeted hacks could be huge, and could easily affect us all.

One last point — this group of journalists chose to help the NSO group to keep their story juicier. They have known about the iOS bug Pegasus currently leverages for that very very dangerous zero-click entry, and those chose not to responsibly disclose to Apple, which means this bug was left needlessly un-patched for weeks, if not months. Personally, I find that unconscionable.

Similarly, the anti-Apple focus in one of the two Washington Post articles is utterly unfounded — it’s the worst kind of click-bait IMO. They give the numbers and say there were more hacked iPhones found than hacked Android devices as if that number is meaningful, only in the next paragraph do they admit to its complete meaninglessness by admitting that Android phones don’t retain enough logs for infections to be detected as easily of as often, so they actually can’t do any sort of meaningful comparison.

Finally finally — you might well be wondering what’s new here. Pegasus has been around for nearly a decade, and we’ve known it’s been abused to spy on journalists and others for nearly as long, so what’s the big new reveal? There is none. Amnesty and Co. have simply succeeded in getting a long-running story the traction it should have gotten years ago with some well-executed PR moves.

Links

❗ Action Alerts

  • Patch Tuesday has been and gone, and Microsoft patched 116 security vulnerabilities, including 4 being actively exploited in the wild — krebsonsecurity.com/…
  • Apple have patched just about all their OSes and Safari — www.intego.com/… (The % SSID bug seems to be fixed by these updates)

Worthy Warnings

Notable News

Interesting Insights

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top