Apple has pushed out an emergency security update for iPhones, iPads and iPods after super sophisticated spyware was found exploiting three iOS vulnerabilities.
The iOS 9.3.5 upgrade plugs three holes that, according to researchers, are being used right now by the Pegasus surveillance kit – a powerful commercial malware package sold to governments for snooping on dissidents and journalists.
Pegasus exploits the bugs to inject itself into iThings. A victim simply has to click on a bad web link to start an infection. Once installed, Pegasus can read messages and emails, listen to calls, monitor social network posts, pull out Wi-Fi passwords, and so on. It essentially has comprehensive access to an poisoned handheld.
The three vulnerabilities exploited by the spy kit are:
- CVE-2016-4655: An input validation flaw that could potentially allow iOS kernel memory contents to be viewed by an installed app.
- CVE-2016-4656: A remote code execution from memory corruption flaw in iOS kernel that can be exploited by an installed app.
- CVE-2016-4657: A remote code execution flaw in WebKit that would allow an attacker to "jailbreak" and install malware on an iOS device by way of a specially crafted webpage.
It appears the three bugs can be exploited in a chain to remotely infect and take control of a vulnerable iThing: a mark is tricked into visiting a boobytrapped webpage that exploits the WebKit bug and the kernel-level memory corruption weakness using sensitive information obtained by the information leak.
Researchers with Citizen Lab and Lookout report that iOS exploit code, dubbed Trident, was being sold as part of the Pegasus spyware package and used to infect the mobile devices of activists and reporters. There's a technical analysis of Pegasus here [PDF].
The report names NSO Group, an Israeli security company previously associated with government spyware efforts, as the creator of the Pegasus kit.
The researchers were tipped off by Ahmed Mansoor, a UAE-based human rights activist whose handheld was preyed upon by top-tier spyware sent by state-sponsored hackers. He was sent a text containing a dubious web link; rather than click on it, he forwarded it to experts, who analyzed the code at the other end of the URL.
The New York Times believes the malware was also used to snoop on its journalists in a targeted attack. It's likely this software has been used against many persons of interest by governments and organizations around the world.
The United Arab Emirates is an obvious customer. Mexico, Saudi Arabia, Qatar, Turkey, Israel, Morocco, Thailand, Kenya, Uzbekistan, Mozambique, Yemen, Hungary, Nigeria and Bahrain may also have snapped up the software, according to Citizen Lab and Lookout.
"The agreements signed with [NSO's] customers require that the company's products only be used in a lawful manner," said NSO spokesman Zamir Dahbash. "Specifically, the products may only be used for the prevention and investigation of crimes."
While the risk that most iOS owners would be targeted by the Trident malware is low, anyone using an iPhone 4S, iPad 2, or 5th generation iPad Touch, or anything newer than those devices, should update their iThing as soon as possible now that the details of the flaws have been made public. Because now anyone can try to exploit them. ®