104 lines
4.5 KiB
Markdown
104 lines
4.5 KiB
Markdown
# NSO Group, Pegasus, Trident---iOS Exploits Targeting Human Rights Activist
|
|
|
|
[Citizen Lab released a report][cl] describing the attempted use of iOS
|
|
0-days on human rights activist [Ahmed Mansoor][] by the United Arab
|
|
Emirates.
|
|
They named this chain of exploits _Trident_,
|
|
and with the help of [Lookout Security][paper],
|
|
were able to analyze them.
|
|
|
|
It begins with [arbitrary code execution (CVE-2016-4655)][4655] by
|
|
exploiting a memory corruption vulnerability in WebKit,
|
|
which downloads a payload unknown to the user.
|
|
That payload is able to bypass KASLR and [determine the kernel memory
|
|
location (CVE-2016-4656)][4656],
|
|
then allowing it to exploit a [memory corruption vulnerability in the
|
|
kernel itself (CVE-2016-4657)][4657];
|
|
this "jailbreaks" the device and is a complete compromise of the system.
|
|
|
|
[cl]: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
|
|
[Ahmed Mansoor]: https://en.wikipedia.org/wiki/Ahmed_Mansoor
|
|
[paper]: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
|
|
[4655]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4655
|
|
[4656]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4656
|
|
[4657]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4657
|
|
|
|
<!-- more -->
|
|
|
|
This payload is [Pegasus][paper],
|
|
a complex surveillance tool sold to governments,
|
|
often used for espionage.
|
|
In this case,
|
|
Monsoor received a suspicious text message and wisely [tipped off Citizen
|
|
Lab][cl] rather than opening the presented link.
|
|
Had he done so,
|
|
he would have unknowingly downloaded this spyware that could very well
|
|
have put his life in extreme danger:
|
|
it has the capability to track his location;
|
|
record his calls and texts;
|
|
record communications through software like WhatsApp and Skype;
|
|
download his contact information;
|
|
grab passwords and encryption keys from his keyring;
|
|
and much more.
|
|
|
|
This malware was written by [NSO Group][],
|
|
which is so poorly known that their [Wikipedia page didn't even exist
|
|
until today][nso-wikipedia].
|
|
The software company is based in Israel,
|
|
founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio.
|
|
They were purchased in 2014 by [Francisco Partners][],
|
|
a private equity firm in the United States,
|
|
for $110 million.
|
|
They exist to sell exploits to governments.
|
|
|
|
Anyone familiar with security research is aware of [responsible
|
|
disclosure][]:
|
|
it is a model whereby researchers who discover a vulnerability
|
|
release their research publicly only _after_ they notify the authors
|
|
of the software,
|
|
and a patch mitigating the vulnerability has been released.
|
|
This is what Citizen Lab did---Apple [fixed the vulnerability][apple] in
|
|
iOS 9.3.5.[^rms-apple]
|
|
This is not what NSO Group does:
|
|
Instead, they horde their exploits[^0day] and sell them to governments as
|
|
weapons for surveillance or espionage.
|
|
In this case,
|
|
the United Arab Emirates (or so it seems).
|
|
This is not only unethical,
|
|
but to sell to a government that is known for this type of abuse is
|
|
inexcusable and negligent---the people behind NSO Group are absolute
|
|
scum.[^scum]
|
|
They are empowering a foreign government known for their civil and human
|
|
rights abuses.
|
|
I have trouble finding words.
|
|
|
|
There is much more that can be said on this topic with respect to security,
|
|
civil and human rights,
|
|
and various other topics.
|
|
But I don't want to distract from the topic at hand.
|
|
Let this sink in.
|
|
Read the [Citizen Lab][cl] report and the [paper by Lookout Security][paper].
|
|
Today I leave my soapbox be.
|
|
|
|
[NSO Group]: https://en.wikipedia.org/wiki/NSO_Group
|
|
[nso-wikipedia]: https://en.wikipedia.org/w/index.php?title=NSO_Group&action=history
|
|
[Francisco Partners]: https://en.wikipedia.org/wiki/Francisco_Partners
|
|
[responsible disclosure]: https://en.wikipedia.org/wiki/Responsible_disclosure
|
|
[apple]: https://support.apple.com/en-us/HT207107
|
|
|
|
[^rms-apple]: I [can't recommend that you use Apple
|
|
devices](https://stallman.org/apple.html), but if you do, you
|
|
should upgrade immediately;
|
|
you are vulnerable to exploitation by simply visiting a
|
|
malicious webpage.
|
|
|
|
[^0day]: Called 0-days,
|
|
because they haven't been disclosed and there has been no time to
|
|
prepare or release a fix.
|
|
|
|
[^scum]: For other scum, see the organization behind [FinFisher][]; and the
|
|
group [Hacking Team][].
|
|
|
|
[FinFisher]: https://en.wikipedia.org/wiki/FinFisher
|
|
[Hacking Team]: https://en.wikipedia.org/wiki/Hacking_Team
|