thoughts/post/2016-08-25-nso-group-pegasu...

104 lines
4.5 KiB
Markdown
Raw Normal View History

# NSO Group, Pegasus, Trident---iOS Exploits Targeting Human Rights Activist
[Citizen Lab released a report][cl] describing the attempted use of iOS
0-days on human rights activist [Ahmed Mansoor][] by the United Arab
Emirates.
They named this chain of exploits _Trident_,
and with the help of [Lookout Security][paper],
were able to analyze them.
It begins with [arbitrary code execution (CVE-2016-4655)][4655] by
exploiting a memory corruption vulnerability in WebKit,
which downloads a payload unknown to the user.
That payload is able to bypass KASLR and [determine the kernel memory
location (CVE-2016-4656)][4656],
then allowing it to exploit a [memory corruption vulnerability in the
kernel itself (CVE-2016-4657)][4657];
this "jailbreaks" the device and is a complete compromise of the system.
[cl]: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
[Ahmed Mansoor]: https://en.wikipedia.org/wiki/Ahmed_Mansoor
[paper]: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
[4655]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4655
[4656]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4656
[4657]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4657
<!-- more -->
This payload is [Pegasus][paper],
a complex surveillance tool sold to governments,
often used for espionage.
In this case,
Monsoor received a suspicious text message and wisely [tipped off Citizen
Lab][cl] rather than opening the presented link.
Had he done so,
he would have unknowingly downloaded this spyware that could very well
have put his life in extreme danger:
it has the capability to track his location;
record his calls and texts;
record communications through software like WhatsApp and Skype;
download his contact information;
grab passwords and encryption keys from his keyring;
and much more.
This malware was written by [NSO Group][],
which is so poorly known that their [Wikipedia page didn't even exist
until today][nso-wikipedia].
The software company is based in Israel,
founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio.
They were purchased in 2014 by [Francisco Partners][],
a private equity firm in the United States,
for $110 million.
They exist to sell exploits to governments.
Anyone familiar with security research is aware of [responsible
disclosure][]:
it is a model whereby researchers who discover a vulnerability
release their research publicly only _after_ they notify the authors
of the software,
and a patch mitigating the vulnerability has been released.
This is what Citizen Lab did---Apple [fixed the vulnerability][apple] in
iOS 9.3.5.[^rms-apple]
This is not what NSO Group does:
Instead, they horde their exploits[^0day] and sell them to governments as
weapons for surveillance or espionage.
In this case,
the United Arab Emirates (or so it seems).
This is not only unethical,
but to sell to a government that is known for this type of abuse is
inexcusable and negligent---the people behind NSO Group are absolute
scum.[^scum]
They are empowering a foreign government known for their civil and human
rights abuses.
I have trouble finding words.
There is much more that can be said on this topic with respect to security,
civil and human rights,
and various other topics.
But I don't want to distract from the topic at hand.
Let this sink in.
Read the [Citizen Lab][cl] report and the [paper by Lookout Security][paper].
Today I leave my soapbox be.
[NSO Group]: https://en.wikipedia.org/wiki/NSO_Group
[nso-wikipedia]: https://en.wikipedia.org/w/index.php?title=NSO_Group&action=history
[Francisco Partners]: https://en.wikipedia.org/wiki/Francisco_Partners
[responsible disclosure]: https://en.wikipedia.org/wiki/Responsible_disclosure
[apple]: https://support.apple.com/en-us/HT207107
[^rms-apple]: I [can't recommend that you use Apple
devices](https://stallman.org/apple.html), but if you do, you
should upgrade immediately;
you are vulnerable to exploitation by simply visiting a
malicious webpage.
[^0day]: Called 0-days,
because they haven't been disclosed and there has been no time to
prepare or release a fix.
[^scum]: For other scum, see the organization behind [FinFisher][]; and the
group [Hacking Team][].
[FinFisher]: https://en.wikipedia.org/wiki/FinFisher
[Hacking Team]: https://en.wikipedia.org/wiki/Hacking_Team