Friday, 26 August 2016 09:37

iOS 9.3.5 helps protect against spooks


iOS 9.3.5, released overnight, fixes three flaws exploited by government agencies to spy on individuals.

The flaws — dubbed Trident, for the three-pronged attack were revealed after human rights activist Ahmed Mansoor received messages inviting him to follow a link to supposed secrets about the torture of detainees in the UAE.

Probably because he had been previously targeted by so-called lawful intercept malware, Mansoor chose instead to forward the messages to Citizen Lab at the University of Toronto's Munk School of Global Affairs.

Citizen Lab associated the URLs with apparently US-owned but Israel-based NSO Group, a supplier of mobile phone surveillance software to governments, and chose to collaborate with mobile and cloud security specialist Lookout to investigate.

NSO's Pegasus spyware has an average per-target licence fee of more than US$25,000, according to Lookout.

Lookout's technical report is available here, but in summary the process works like this:

The attacker sends an SMS or other text message containing a link to a malicious page.

If the user follows the link (and in some cases it may open automatically), the destination page determines the device type in order to deliver and install the appropriate malware.

The malware collects personal data (including calendar and contact information, as well as passwords and GPS location), SMS and chat messages, and voice calls (not just the metadata, the actual audio from phone, Viber, Skype and other apps), and forwards them to the attacker.

Where the target is an iPhone, the malware uses three separate vulnerabilities to perform a remote jailbreak in order to install the spyware that will carry out the ongoing monitoring. It also disables automatic updates and any other jailbreak.

The first vulnerability allows the execution of an initial piece of code, which uses the second to overcome address space layout randomisation to determine where the iOS kernel is located in memory, then the third can be used to jailbreak the phone so that the spyware can be installed.

"We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find," said Citizen Lab.

Citizen Lab and Lookout reported the vulnerabilities to Apple on 15 August, and Apple released the fixes as iOS 9.3.5 on 25 August.

Here's how Apple describes the issues:

Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: An application may be able to disclose kernel memory
Description: A validation issue was addressed through improved input sanitization.
CVE-2016-4655: Citizen Lab and Lookout

Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4656: Citizen Lab and Lookout

Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4657: Citizen Lab and Lookout

Apple recommends users move to iOS 9.3.5 "immediately if possible." Automatic updates may take up to a week, but the update can be installed manually (Settings>General>Software Update).

But Citizen Lab warned "we assume that NSO Group and others will continue to develop replacements for the Trident."

Even if you don't expect to be targeted by a government agency, now that the cat is out of the bag ordinary cyber criminals are likely to take advantage of these vulnerabilities on devices that are left unpatched.

Image: Creative Tail [CC BY 4.0] via Wikimedia Commons

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments