Israeli surveillance software Pegasus targets cloud data on infected iPhones

Israeli company NSO Group claims its new surveillance tool, called Pegasus, can extract data from cloud services like iCloud, Google Drive and Facebook Messenger, among others, from an infected iPhone or Android smartphone.

According to a paywall’d report published yesterday by The Financial Times, the app works on the latest iPhone and Android smartphones, taking advantage of exploits to continue working even after the tool has been removed by the user.

The new technique is said to copy the authentication keys of services such as Google Drive, Facebook Messenger and iCloud, among others, from an infected phone, allowing a separate server to then impersonate the phone, including its location. This grants open-ended access to the cloud data of those apps without ‘prompting 2-step verification or warning email on target device’, according to one sales document.

A spokesperson for NSO said that the company does not provide or market any type of hacking or mass-collection capabilities to any cloud apps, services or infrastructure.

Apple said its operating system was “the safest and most secure computing platform in the world. While some expensive tools may exist to perform targeted attacks on a very small number of devices, we do not believe these are useful for widespread attacks against consumers.” The company added that it regularly updates its operating system and security settings.

Interestingly, Apple doesn’t deny such a capability could exist.

While NSO Group denied promoting hacking or mass-surveillance tools for cloud services, it didn’t specifically deny it’d had developed the capability described in the documents. Crucially, the tool works on any device “that Pegasus can infect”.

One pitch document from NSO’s parent company, Q-Cyber, which was prepared for the government of Uganda earlier this year, advertised the ability of Pegasus to ‘retrieve the keys that open cloud vaults’ and ‘independently sync-and-extract data’.

Having access to a ‘cloud endpoint’ means eavesdroppers can reach ‘far and above smartphone content’, allowing information about a target to ‘roll in’ from multiple apps and services, the sales pitch claimed. It is not yet clear if the Ugandan government purchased the service, which costs millions of dollars.

Take NSO Group’s claims with a grain of salt.

This isn’t the first time someone made bold claims as to bypassing the security features of Apple’s custom-designed chips and the iOS software powering iPhone and iPad. It’s true that law enforcement doesn’t shy away from paying millions of dollars in fees for rights to use such software. It’s also true that the FBI eventually turned to a piece of surveillance software from an Israeli software firm to unlock a phone belonging to the San Bernardino shooter.

However, it’s also true that this was an older iPhone powered by an Apple chip that didn’t have a Secure Enclave cryptographic coprocessor to provide full disk encryption and hardware protections for the encryption keys. It’s also true that such pieces of software might have been used to hack modern iPhones, but that’s only because a victim was foolish enough to install a rogue app that includes malware, or an invisible VPN was used to sniff network traffic or maybe a weak passcode without biometric was used or some other human factor was involved that opened an attack vector.

It doesn’t look like Pegasus exploits an iOS vulnerability to get to your cloud data.

One of the pitch documents offered an old-fashioned way to thwart this kind of eavesdropping: changing an app’s password and revoking its login permission. That cancels the viability of the replicated authentication token until, according to the document, Pegasus is redeployed.

Yes, iOS exploits do exist and some of them get never disclosed, but Apple is patching them swiftly thanks to its aggressive software update mechanism. To my knowledge, no security company has yet to claim unambiguously that it can hack into the latest iPhones.

Pegasus was recently used to hack WhatsApp by exploiting an undisclosed vulnerability. WhatsApp has since closed the loophole and the US Department of Justice is investigating.

Thoughts?

Source link: https://www.idownloadblog.com/2019/07/19/nso-group-pegasus-iphone/