NSO Group, Pegasus, Trident---iOS Exploits Targeting Human Rights Activist

Browse Source

[Citizen Lab released a report][cl] describing the attempted use of iOS
  0-days on human rights activist [Ahmed Mansoor][] by the United Arab
  Emirates.
They named this chain of exploits _Trident_,
  and with the help of [Lookout Security][paper],
  were able to analyze them.

It begins with [arbitrary code execution (CVE-2016-4655)][4655] by
  exploiting a memory corruption vulnerability in WebKit,
  which downloads a payload unknown to the user.
That payload is able to bypass KASLR and [determine the kernel memory
  location (CVE-2016-4656)][4656],
  then allowing it to exploit a [memory corruption vulnerability in the
  kernel itself (CVE-2016-4657)][4657];
    this "jailbreaks" the device and is a complete compromise of the system.

This payload is [Pegasus][paper],
  a complex surveillance tool sold to governments,
  often used for espionage.
In this case,
  Monsoor received a suspicious text message and wisely [tipped off Citizen
  Lab][cl] rather than opening the presented link.
Had he done so,
  he would have unknowingly downloaded this spyware that could very well
  have put his life in extreme danger:
    it has the capability to track his location;
    record his calls and texts;
    record communications through software like WhatsApp and Skype;
    download his contact information;
    grab passwords and encryption keys from his keyring;
    and much more.

This malware was written by [NSO Group][],
  which is so poorly known that their [Wikipedia page didn't even exist
  until today][nso-wikipedia].
The software company is based in Israel,
  founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio.
They were purchased in 2014 by [Francisco Partners][],
  a private equity firm in the United States,
  for $110 million.
They exist to sell exploits to governments.

Anyone familiar with security research is aware of [responsible
  disclosure][]:
  it is a model whereby researchers who discover a vulnerability
    release their research publicly only _after_ they notify the authors
    of the software,
      and a patch mitigating the vulnerability has been released.
This is what Citizen Lab did---Apple [fixed the vulnerability][apple] in
  iOS 9.3.5.[^rms-apple]
This is not what NSO Group does:
  Instead, they horde their exploits[^0day] and sell them to governments as
    weapons for surveillance or espionage.
In this case,
  the United Arab Emirates (or so it seems).
This is not only unethical,
  but to sell to a government that is known for this type of abuse is
  inexcusable and negligent---the people behind NSO Group are absolute
  scum.[^scum]
They are empowering a foreign government known for their civil and human
  rights abuses.
I have trouble finding words.

There is much more that can be said on this topic with respect to security,
  civil and human rights,
  and various other topics.
But I don't want to distract from the topic at hand.
Let this sink in.
Read the [Citizen Lab][cl] report and the [paper by Lookout Security][paper].
Today I leave my soapbox be.

[cl]: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
[Ahmed Mansoor]: https://en.wikipedia.org/wiki/Ahmed_Mansoor
[paper]: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
[4655]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4655
[4656]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4656
[4657]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4657
[NSO Group]: https://en.wikipedia.org/wiki/NSO_Group
[nso-wikipedia]: https://en.wikipedia.org/w/index.php?title=NSO_Group&action=history
[Francisco Partners]: https://en.wikipedia.org/wiki/Francisco_Partners
[responsible disclosure]: https://en.wikipedia.org/wiki/Responsible_disclosure
[apple]: https://support.apple.com/en-us/HT207107

[^rms-apple]: I [can't recommend that you use Apple
              devices](https://stallman.org/apple.html), but if you do, you
              should upgrade immediately;
                you are vulnerable to exploitation by simply visiting a
                malicious webpage.

[^0day]: Called 0-days,
           because they haven't been disclosed and there has been no time to
           prepare or release a fix.

[^scum]: For other scum, see the organization behind [FinFisher][]; and the
           group [Hacking Team][].

[FinFisher]: https://en.wikipedia.org/wiki/FinFisher
[Hacking Team]: https://en.wikipedia.org/wiki/Hacking_Team

master

Mike Gerwitz 2016-08-25 23:09:01 -04:00

parent ce0f049a9f

commit 57121a9c23

No known key found for this signature in database

GPG Key ID: F22BB8158EE30EAB

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Show Stats Download Patch File Download Diff File Expand all files Collapse all files

Diff Content Not Available