Security industry reacts to Apple iOS triple zero-day threats


Active threats that can exploit Apple devices are not commonplace, truth be told. Those leveraging zero-day vulnerabilities less so. Which is why the news that Apple fixed one that uses no less than three critical iOS zero-day threats just before the Bank Holiday weekend kicked off is such big news.

It would be fair to say that until news of this broke on Thursday last, attempts by spyware to leverage multiple zero-day threats were rarer than rocking horse poop. And not many threats out there come with a million dollar price tag either!

When Citizen Lab and Lookout uncovered the triple-header of vulnerabilities, dubbed Trident, they worked together with Apple to ensure the threat was patched as quickly as possible. If you haven’t updated your device with the iOS 9.3.5 patch yet, you might want to pull your finger out and get clicking.

Leaving it until later, especially now that details of Trident (and the Pegasus spyware that uses it) are in the public domain. Remember, this is an active threat which we are assured can “form an attack chain that subverts even Apple’s strong security environment.”

If you want to find out more about Pegasus, the NSO Group malware capable of infecting an unpatched iPhone, then check out these resources:

Citizen Lab: The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender.

Lookout: Technical Analysis of Pegasus Spyware.

Meanwhile, though, IT Security Thing has been collating the thoughts of the wider security industry.

Let’s start with Ed Macnair who is CEO of cloud security company CensorNet:

“This is a hugely sophisticated attack and, while it’s unlikely to affect the majority of people given it comes with such a hefty price tag, there are wider implications. While Pegasus is not easy to pull off with the number of vulnerabilities it had to exploit to be effective, it once again shows that the trusty old phishing attack can be a starting point for untold other exploits. An update from Apple has been released but businesses need to be constantly vigilant to what’s going on with the mobiles their employees are using. There’s a huge amount of confidential data stored in cloud apps on most of these devices and just one click on a link in a text message can easily expose it. Every business should have the tools in place to see actions like file uploads, downloads, data storage and so on for all cloud apps. It’s the only way to quickly see if there’s something untoward going on and stop it. Pegasus might not be a threat to everyone, but there’s plenty more out there that may be and more control over cloud applications is key to spotting them.”

Next we move on to Guillaume Ross, senior security consultant with pen testing specialists Rapid7:

“Though Apple iOS enjoys a well-deserved reputation for being an operating system in which security is a priority, vulnerabilities are found and will keep being found within the system. How difficult it is to break into iOS should keep increasing as additional hardening techniques are built into the OS, however, as evidenced by these recently discovered vulnerabilities, this doesn’t prevent sophisticated attackers from working on new and improved techniques. What makes this specific type of attack particularly sophisticated is in the amount of vulnerabilities that had to be chained to make it a seamless attack requiring very little user interaction. This attack basically exploits an issue in Safari, exploits the kernel to effectively jailbreak the phone, and then persists on to the device. Jailbreak software is regularly released publicly, and exploits such vulnerabilities, but with a major difference: this software exploits the iOS device locally, over USB or such an interface, and not simply by clicking a link, though that has also occurred in the past. Detecting such an attack, for the user of an iOS device, would be extremely difficult after the fact. iOS 10, with additional hardening, is to be released in the next few weeks, and will probably achieve rapid adoption numbers. Between iOS 9.3.5, protecting devices now, and protecting a few models unable to obtain iOS 10 when it is released, and iOS 10, the overall amount of vulnerable devices should drop drastically in the next weeks and months.”

Here’s what Jonathan Sander, VP of product strategy at privileged access management vendor Lieberman Software reckons:

“The only real surprise in this iPhone spy tool story is that anyone is surprised. All over the world, the bad boys of tech have left their basements behind for professional buildings and are make lots of cash selling malware for cash. Of course repressive regimes are looking to weaponize that malware against the people that oppose them. With a glut of ill gotten cash and a lack of scruples those regimes are a malware dealer’s perfect customer. This is simple supply and demand. While there are people who want to break into things for any reason, there will be bad guys willing to sell the tools to crack stuff wide open.”

Meanwhile, Mark James who is a ‘security specialist’ at security specialists (and antivirus software vendor) ESET says:

“Apple and indeed Google want you to have phones that you make you feel safe using their latest technology, so for me when I see Apple releasing an emergency fix for a zero day they were only notified about 10 days ago that makes me feel valued as an Apple user. Some people may see it as just “another update” or even as unimportant but believe me you want to install this as soon as possible. Security updates are the only way forward in keeping electronic devices safe, gone are the days when a well-known company would release an update that everyone groaned and waited to see the damage it caused before installing it yourself. Nowadays if there is a security update or patch you NEED to treat it with urgency and get it installed now not tomorrow.”

And Travis Smith, a senior security research engineer with security vendor Tripwire commented:

“The fact that this particular exploit took advantage of three vulnerabilities to accomplish complete control shows how advanced and committed the authors are. While what we’ve seen exploited in the wild thus far has been targeted towards high profile targets, exploits eventually trickle down into less skilled hands who eventually target a larger audience. The advantage the general public has is that a patch is already available. The typical iOS users will not differentiate between a major update and a security update. Unless there are reports of apps crashing or degradation of battery life, users will more than likely install the update.”

And finally, Emily Orton who was co-founder of Enterprise immune system technology vendor Darktrace has this to say:

“While many iPhone users rush to update their software today, security teams are inevitably playing a perpetual game of catch-up with today’s evolving cyber-threats. No patch is ever fast enough for an attacker’s first victim. From a business perspective, it is vital to get ahead of this – and that means getting visibility of all your systems, including mobiles, and anticipating potential problems before they escalate. Infiltrations are very hard to avoid, if not impossible – so the focus must be on early detection of threats, as they unfold.”