In mid-September, Apple was forced to issue an emergency security update for its iPhone, iPad, Mac, and Watch operating systems after being alerted to a “no click” exploit allegedly tied to the Pegasus surveillance software distributed by the Israeli company NSO Group.
The Citizen Lab, a Canadian human rights and security advocacy group, alerted Apple to the exploit, dubbed FORCEDENTRY. The exploit targeted Apple’s image rendering library, which was found on the phone of a Saudi activist that Citizen Lab examined back in March. The exploit uses “maliciously crafted” PDF files that could lead to “arbitrary code execution,” Apple said in a security bulletin.
The “no click” designation by Citizen Lab means Apple users don’t need to open the PDF sent to them for the spyware to infect their devices. Instead, Pegasus gives attackers “virtually unfettered access to the victim’s device, where it can monitor messages, listen in on calls, activate the camera, and more,” said Daniel Markuson, a digital privacy expert at NordVPN.
The Citizen Lab spearheaded recent reporting on the NSO Group’s surveillance software, with news stories in July saying the company’s military-grade Pegasus product had been used to spy on business executives, journalists, human rights advocates, and government officials. NSO Group has disputed the reporting, saying it sells the software to governments to fight crime and terrorism.
But with some NSO customers using the software to spy on other people, several security experts urged Apple users to update their devices immediately.
“These new accusations bring a heightened sense of concern among privacy activists that no smartphone user, even those using software like WhatsApp or Signal, is safe from their privacy being infringed upon,” Markuson told the Washington Examiner. “Cyber-tech surveillance can be a real threat from both individuals and institutions, and this situation with NSO Group is only bringing this long-lasting issue into the limelight.”
Pegasus illustrates the importance of comprehensive mobile security efforts at an organization, added Hank Schless, senior manager of security solutions at Lookout, a security vendor researching Pegasus for years.
“There are countless pieces of malware out there that can easily exploit known device and software vulnerabilities to gain access to your most sensitive data,” he told the Washington Examiner. “Once the attacker has control of a mobile device or even compromises the user’s credentials, they have free access to your entire infrastructure.”
After the attackers gain access to a company’s cloud or on-premises apps, “they can move laterally and identify sensitive assets to encrypt for a ransomware attack or exfiltrate to sell to the highest bidder,” he added.
Meanwhile, some security experts said there appears to be little recourse available to Apple and its customers beyond patching. Holding NSO Group legally responsible would be complicated for the U.S.-based Apple, given that NSO is based in Israel and that attribution for the exploit isn’t 100% solid, some said.
“The business of selling zero-day vulnerabilities is a lucrative business practice and has well-established roots,” noted Keatron Evans, principal security researcher at InfoSec Institute, a security training vendor. “Governments, law enforcement, and even private industry have a long history of paying security researchers for zero-day exploits.”
Meanwhile, a lot of the responsibility for protecting devices falls on the consumer, he told the Washington Examiner.
“It has become standard practice that when a company’s software is found to have zero-day vulnerabilities and exploits are written to take advantage of those exploits, these companies create a patch to fix it,” he said. “Then, it becomes the problem of the consumer to deal with whatever repercussions they’ve had as a result of the software being exploited, or the potential for it being exploited.”
The apparent misuse of Pegasus raises troubling questions, even if attackers aren’t likely to “waste” these exploits on everyday consumers, he added. In addition, he said that the agencies using these surveillance tools might have their own security holes, potentially leading to their surveillance data caches being compromised.
“One real question here is if law enforcement is buying these exploits, and we know their networks and data store locations are susceptible to data breach, is it OK for law enforcement to have access to these powerful exploits?”
