5 months after the revelations of Pegasus extended usage, the spyware hits again.
Recently, employees from the U.S. State Department were targeted by an unidentified group using NSO's Pegasus software. After the revelations in July exposing that it had struck journalists and leading officials, the spying malware continues to propagate on the mobile devices of critical targets.
In July 2021, 50.000 people had been directly hit by the spyware, but the stolen information also involved everyone connected to the victims as sometimes, it is just easier to reach a target through its network.
While Android and iOS operating systems are developed taking mobile security into account, with such a spyware, the NSO group demonstrates again that standard mobile OS safeguards are not reliable enough to keep users’ data safe, bringing to the fore the necessity to add an extra layer of security to all mobile devices.
Pegasus, Modus Operandi
To compromise high-value targets, the Pegasus spyware exploits vulnerabilities in common apps such as iMessage, FaceTime, Safari, WhatsApp, etc. that have a web module (WebKit, WebView…) to silently reach invisible and unclassified dynamically generated URLs.
The reached pages then execute JavaScript code to exploit vulnerabilities to get out of the applications’ sandboxes, hence bypassing all mechanisms in place in the Android and iOS systems.
Once in the kernel layers, Pegasus exploits a sequence of zero-day and known processor vulnerabilities to execute arbitrary code (Arbitrary Code Execution) without requiring the system to be rooted or jailbroken.
The code is charged directly into the RAM and not as an application, making it tricky to be detected. After achieving all these steps, Pegasus massively exfiltrates users’ data, including encrypted ones (WhatsApp, Signal, Telegram conversations...).
What to learn from Pegasus
Mobile devices are undeniable high-value targets
In 10 years, the smartphone became the connected device that is the most used for both professional and personal usages. Always close to hand, it accesses and stores almost every single data related to an individual: agenda, locations, contacts, photos, conversations… Still, at a time when data protection is increasingly enforced, cybersecurity practices in place do not measure up with the sensitiveness of those devices.
Recently, we have witnessed a surge in cyberattacks with more and more headlines pointing towards mobile originated breaches. Pegasus brings the reality of the multi-level fallibility of a mobile device and the broad reach of a mobile attack.
A mobile device can be compromised at the application, the network and the OS level. For 76% of mobile data breaches, applications are involved. On average, 3 apps out of 5 have vulnerabilities and/or backdoors that can be exploited to exfiltrate data. Aside from apps, network connections (cellular, WiFi, BlueTooth, NFC…) represent another direct access point to data transiting from the mobile devices over the network, exposing them to eavesdropping or infecting them with incoming malicious code. And finally, OS misconfigurations and vulnerabilities can be exploited to escalate privilege and access users’ data that are stored on the device. Pegasus acts at each of these levels to spy on its victims.
iOS is not an impregnable fortress
Until now, the common belief was that the lockdown approach inherent to the iOS system made it invulnerable to cyberattacks. The Pegasus Project definitively turned down this urban myth with, among other cases, an iPhone 12 Pro Max running the latest version of the system 14.6 being compromised by a zero-click attack through an iMessage zero-day vulnerability exploit in June 2021.
“When we’re talking about something like an iPhone, they’re all running the same software around the world. So if they find a way to hack one iPhone, they’ve found a way to hack all of them.” commented Edward Snowden.
Despite considerable efforts initiated by Apple, iOS is fallible just like any system and the fact that most devices are simultaneously running on the same version has its downside. The cyberthreat landscape is continuously evolving and breaking into the Apple system is an exciting and lucrative activity for hackers.
Largescale surveillance is not a new story
Pegasus highlights the depth of a largescale attack targeting head of states, political figures, or journalists. However, it should not elude that surveillance is performed on a daily basis through industry-oriented approaches, non-targeted data exfiltration hackings, and even common marketing practices. The dark web is chock-full of data brokers monetizing 1 million active users’ data for an average of 4000 USD/month.
Therefore, every single mobile user and all companies should be concerned about how data are handled on mobile devices and what measures are in place to prevent data exfiltration.
Our global guidelines
An effective security solution for mobile must provide innovative and advanced functionalities to specifically keep up with mobile cyber-criminality. The core guideline Pradeo provides is to implement a dedicated mobile security solution rather than an all-in-one service that will only surface the response to mobile threats.
- Secure your whole mobile environment
Both Android and iOS have hundreds of vulnerabilities detected and patched every year, and the same goes for mobile apps used on these environments. - Use adaptable security features
Every organization attaches a different importance to each data according to its activity, its security standards, the industry it belongs to, etc. To protect the data they value the most, security teams should rely on granular detection and threat response policies that they can customize to reflect their specific needs. - Condition the access to company resources
To make sure no threat will spy on your sensitive resources through the mobile devices accessing it, security-based conditional access is the recommended best practice. That way, when a device bears a threat, its access to company’s resources is denied. - Analyze security events
The unified visibility into security events should be achieved through a SIEM solution (Security Information and Event Management). It aims at gathering events across environments (PCs, servers, and mobiles) for forensics purpose and leverages the granularity of a dedicated mobile detection for cross and advanced analysis.
