iOS 9.3.5 Patch: Plugging In The Loopholes
The iOS is not as inviolable as publicised. But with help, it’s still the most secure of all OS’.
In these of times of careful scrutiny, the invasion of privacy is all too common. Security loopholes in operating systems have been serving as a breeding ground for such instances.
Apple’s recent brush with FBI over security features had already muddled up the water. Now, recent happenings have unearthed a new not-so-surprising invasion on its devices.
Earlier this month, an Emirati human rights activist named Ahmed Mansoor got a suspicious text. It promised new details of torture in the country’s state prisons, along with a link to follow if he was interested. If Mansoor had followed the link, it would have jailbroken his phone on the spot and implanted it with malware, capable of logging encrypted messages, activating the microphone and secretly tracking its movements.
A detailed report on the case by the Citizen Lab says “The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements”.
The Trident works in a three pronged attack — Once the target clicks on the link with the “Pegasus” package, her iPhone is jailbroken, and the monitoring and data theft suites are installed.
Three zero-day vulnerabilities were discovered as a result of the misfired attack. The first is a vulnerability in Safari WebKit that allows the attacker to compromise the device if a user clicks on a link. The WebKit flaw, coupled with an information leak in the Kernel problem, and an issue where Kernel memory corruption could lead to a jailbreak allowed for the entire attack method to be implemented against the discoverer, and one additional activist in Mexico.
Lookout claims that the payload delivered by “Pegasus” allows the attackers to access passwords, messages, calls, emails, and logs from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, amongst others.
What’s worse, is that the overall “Pegasus” package is not iOS exclusive, and can exploit flaws in Android and BlackBerry as well. It appears that the attacker must have some knowledge of platform that the targeted user utilizes to aim the attack, and develop a server-side payload delivery and data receptacle suitable to the device.
Based on some indicators in the code, the spyware’s iOS variant is capable of infecting users on iOS 7 or above. Successive updates to the devices afflicted by the malware appear to have no effect on existing malware installations.
Citizen Lab and Lookout informed Apple of the vulnerabilities on August 15 and a subsequent iOS update released by Apple, called iOS 9.3.5 patches the vulnerability and blocks the attack.
Citizen Lab linked the attack to a private Israeli spyware company known as NSO Group, although it’s unclear how the exploits were first discovered.
Earlier this year, the exploit broker Zerodium offered and awarded a million-dollar bounty for remote jailbreaking capability in iOS 9, which Citizen Lab notes is similar to the exploit used against Mansoor.
Apple recently launched its own bug bounty to encourage disclosure of such vulnerabilities. The highest bounty, up to $200,000, was offered for vulnerabilities that compromise the secure boot firmware.
The attack is likely to reignite the debate over private sector malware companies, which have drawn harsh criticism for selling intrusion software to oppressive regimes in Uganda, Ethiopia, and Bahrain.
Originally published at Chip-Monks.
