News

Security companies discover three zero days in iOS that were actively abused

By admin
Spread the love

Apple iOS versions pre-9.3.5, released on Thursday, include three zero days that allow attackers to access the kernel on iPhones, after which they can intercept messages, phone calls, emails, and more. The leaks may have been exploited for three years.

Two security companies report the vulnerabilities, which they collectively call ‘Trident’: the American Lookout and the Canadian Citizen Lab. The two discovered the vulnerabilities thanks to human rights activist Ahmed Mansoor. Earlier this month, he received suspicious text messages promising him classified information about human rights violations. All he had to do was click on the provided links. He did not and instead the messages went through to the two security companies. The malware they discovered is called ‘Pegasus’ and is said to have been developed by the Israeli NSO Group, which in turn is owned by the American Francisco Partners.

The post-infection malware was able to get hold of text messages, phone calls, emails, logs and more from apps like Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango and other apps . Until now, it could even survive system updates without any problems and update itself to replace exploits if they turned out to be obsolete. There was also a zero-click vector for the malware, but it worked with special text messages like WAP Push SL messages, which over time were no longer automatically processed by iPhones. In this way it was possible to infect targets without user intervention.

The highly encrypted malware exploited three vulnerabilities, with cve numbers 2016-4655, 4656 and 4657. Specifically, it concerns a vulnerability in the Safari webkit that allows code execution, a kernel vulnerability that allows it to be detected in the memory, and a third vulnerability in the kernel that allowed a silent jailbreak and the installation of spy software. The malware allegedly contained a kernel mapping table with values ​​believed to be from iOS 7, meaning the malware may have been in use for nearly three years. Pegasus would even have an automatic self-destruct.

The malware would also be used to attack Android and BlackBerry devices, according to Lookout, but the company will not go into detail about that. Citizen Lab does not mention the risk to Android and BlackBerry at all, which suggests that these were vulnerabilities that have already been closed in the past. The Lookout researchers say Pegasus is “the most sophisticated attack on any device because of the way it leverages the way mobile devices are integrated into our lives.” They further say: “The malware uses features that only come together on a mobile: a constant connection via Wi-Fi or 4G, voice calls, a camera, email, instant messages, GPS, passwords and contacts.”

In addition to Mansoor, at least two others are said to have been targeted by the Israeli malware: a Mexican journalist covering corruption in his country and one or more targets in Kenya. It is recommended that users download the 9.3.5 update for iOS as soon as possible. Of the two companies’ reports, Citizen Lab’s is the most comprehensive.

Apple informs Ars Technica that the vulnerabilities are no longer in the public and developer betas of iOS 10 since last week.

Image: Citizen Lab, via Hacking Team emails

You might also like
News

Apple has been working on its own search engine for years. It’s called…

News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

Microsoft announces Bing Chat Enterprise and Copilot pricing for businesses

News

Meta introduces open source language model Llama 2, works on PCs and phones