Security news that informs and inspires

Pegasus, My Little Pony of Doom: An Analysis of iOS Vulnerabilities

By

The TL;DR

On August 25, 2016 Apple released iOS version 9.3.5. In this update, there were three vulnerabilities patched (known as Trident). When used together, they allow an attacker to remotely compromise an iOS device (typically an iPhone), install a backdoor that allows an attacker to gather and exfiltrate data, and maintain a persistent foothold on the device. It is highly recommended that all iOS users patch their systems immediately.

What Makes This Somewhat Different

A vulnerability in a modern computing device - be it a laptop, smartphone, tablet and so on - is not an unusual event. Each one of these three vulnerabilities are, in their own right, serious. Usually when a vulnerability is released, there is some type of caveat included with it; something along the lines of “this vulnerability allows an attacker to perform X and possibly Y.” It is this word “possibly” that gets debated by security professionals as to how it could or could not occur.

Trident eliminates the word “possibly” from the debate. A clear chain of events can link Trident's’ three vulnerabilities together to allow for complete remote compromise with the attacker maintaining an active presence on the device.

To make matters worse, this wasn’t some paper presented at a security conference and some oddball exploit code showing how it might work, this was found in the wild being actively used against a live target. Trident’s job was to install Pegasus, a full-featured piece of commercially-developed malware that allowed for deep-level persistent attacker presence on the device.

The full explanation of how the vulnerability was discovered by Citizen Lab and the subsequent analysis and reporting by both Citizen Lab and Lookout is documented here and here.

Technical Details

The three vulnerabilities are as follows:

CVE-2016-4655 - This is a memory corruption vulnerability in WebKit, which allows for a remote attacker to execute code via the browser. The attack vector could be something like a link in an email or (as was the case in the Pegasus initial in-the-wild discovery) an SMS message. Visiting the malicious URL allows for the attacker to trigger the vulnerability and execute code, which, in Pegasus’ case, was the next vulnerability.

CVE-2016-4656 - This vulnerability is an information leak. To help prevent attackers from compromising iOS at the kernel level, Apple has implemented Kernel Address Space Layout Randomization (KASLR). When you hear about iPhone jailbreaking, you often hear about KASLR, as this mitigation effort helps prevent the attacker from figuring out various kernel memory addresses. The idea is to make it harder to get to the deepest levels within iOS. This particular vulnerability takes advantage of a function call that “leaks” a memory address in the kernel, allowing the kernel to be mapped out.

CVE-2016-4657 - Finally, this vulnerability allows the attacker to corrupt memory and execute code at the kernel level, jailbreaking iOS. Taking the mapped kernel data from CVE-2016-4656, CVE-2016-4657 allows for the installation of code at the deepest level in the device. For Trident, this was Pegasus - a rather sophisticated backdoor that allowed for complete control of the device with more authority than the actual user of the device.

SMS

SMS has been brought up a lot in the discussion surrounding Trident and Pegasus, so we do have a few comments regarding its context. The initial attack vector discovered was an SMS that was sent to the victim’s phone. A part of the backdoor (which was installed and running at the kernel level) used SMS to aid in data exfiltration as well as a method for receiving attacker instructions. Some of these SMS messages were disguised as two-factor authentication messages commonly seen during authentication, in the event the user discovered the communications.

Recommendations

Based on our data, 75% of mobile endpoints that access protected corporate resources are running iOS and potentially vulnerable to these exploits. Additionally, 62% of phones used as a second factor for two-factor authentication are also running iOS. Our number one recommendation is a simple one - patching iOS devices soon as possible. A lot of eyes are on Trident and Pegasus, and it is quite possible that others are using the publicly-available information that exists on this and are actively working to duplicate it.

Our second recommendation is to use two-factor authentication to help protect the various accounts and systems you have access to. Given the choice, we recommend using Duo Push or U2F over using SMS as it offers better protection against remote attacks.