Following the Pegasus scandal, Google's Project Zero specialists managed to get their hands on the iOS version of the malware. They discovered an attack of rare complexity, going so far as to simulate a computer through a “simple” animated GIF.
With 50,000 people targeted, including 1,000 in France, the Pegasus scandal is one of the biggest spy cases. To infiltrate victims' phones, NSO Group has created attacks to exploit several flaws, including a "zero-click" dubbed Forcedentry. The latter was able to breach the security of the iPhone to install Pegasus without any user interaction.
Google's Project Zero cybersecurity researchers were able to dissect the iOS version of the malware to understand how it works. Unlike previous versions, the victim was not prompted to open a link. Here, the flaw lies in the display of GIF animated images in the iMessage app.
A computer contained in a GIF
When the application tries to display a GIF file in a loop, it uses one of the 20 image codecs available to it depending on the type of file. This includes a codec for PDF. To infect an iPhone, NSO Group therefore created a PDF file which is opened by the CoreGraphics PDF interpreter, which in turn uses the JBIG2 codec. The flaw is in the latter, with which it is possible to cause a heap overflow.
However, JBIG2 cannot interpret scripts, which limits the possibilities to simple logical functions. The developers at NSO Group therefore used 70,000 commands to simulate a rudimentary computer architecture capable of executing a script to infiltrate the device. This is an incredibly sophisticated attack that exploits one of the most basic flaws. Project Zero specialists called it "one of the most technically sophisticated feats we've ever seen." Apple patched the flaw on September 13 with iOS 14.8.
Pegasus scandal: five French ministers have allegedly been spied on
Mediapart claims that the phones of five current ministers have at least traces location for the installation of the Pegasus spy software. They would have been targeted between 2019 and 2020.
Published on 26/09/2021 by Louis Neveu
The famous "winged donkey" that Guillaume Poupart, the boss of Anssi (National Agency for the Security of Information Systems), made fun of, when various French entities suffered a massive cyberattack at the end of July, is being talked about again . In mid-July, Futura explained that the Pegasus software was used to try to spy on around 1,000 French people, whether journalists, industrialists or political figures. Today, we know a little more about the people who were targeted from 2019. According to the latest information obtained by Mediapart, a document compiling the results of the inspection of the phones of members of the government shows that the mobiles of five ministers have "suspicious markers".
This does not mean that they were being spied on, but that the process of setting up Pegasus had at least been initiated. These "markers" are therefore on the telephones of the Minister of National Education Jean-Michel Blanquer, the Minister of Territorial Cohesion Jacqueline Gourault, the Minister of Overseas Sébastien Lecornu, the Minister of Housing Emmanuelle Wargon and Julien Denormandie, Minister of Agriculture. Previously, traces of tracking to inoculate Pegasus had already been discovered on the mobile of François de Rugy, who was then Minister of Ecology.
NSO Group denies
These six ministers are currently the ones whose motives have been approached to prepare for the implementation of the spyware, but in July, a list of telephone numbers revealed that in all fifteen members of the government, including the former Prime Minister, had been targeted. According to Mediapart, it is not only the ministers who have been targeted, but also senior officials of the Elysée and perhaps even the President of the Republic, whose telephone number is part of the list. For example, we find the case of the adviser for Africa to the President of the Republic. A suspicious clue when we know that one of the clients of the publisher of Pegasus, NSO Group is the Kingdom of Morocco, even if the country denies being involved in these espionage attempts. Despite the technical clues discovered, for its part NSO Group explained that all the French ministers are not part of the targets of Pegasus.
Project Pegasus: Apple defends the security of its iPhones
Pointed to the faults of the iPhone after the revelations of the Project Pegasus scandal, Apple defends itself and explains that its smartphone remains the most secure in the world. Except that the flaws are still present and still allow spyware to be installed on a very specific target.
Published on 20/07/2021 by Fabrice Auclert
Project Pegasus is a hot topic, and as journalists, lawyers, whistleblowers and politicians consider filing a lawsuit against the company behind the spyware, but also those who set up this spy system, other voices are raised against the weakness of iPhone security.
To spy on their targets, hackers have used the Kismet flaw that can trap iPhones by sending a simple iMessage. Once the recipient receives the message and views it, without even clicking on it, this triggers the installation of the spyware. It's called a zero-click flaw, and iOS suffered from it before Apple patched it with iOS 14.
This is the type of message a target of this large-scale espionage receives. No need to click on the link, the display of the SMS launches the installation. © CitizenLab
A flaw still exploited!
The problem -- and it's the usual game of cat and mouse between hackers and Apple -- is that the company Israeli NSO Group adapted to Apple's patches and used other services to open breaches. Before there was Apple Photos, then after the patch to fix iMessage, there was Apple Music. As a result, according to the Amnesty International report, the flaw still works against iPhones and iPads running iOS 14.6, but also versions 14.3 and iOS 14.4. Clearly, attacks are always possible.
Monday, following this unprecedented scandal, Apple defended itself in the Washington Post, through the voice of Ivan Krstić, head of engineering and security. After having "unequivocally condemned cyberattacks against journalists, human rights activists and others who seek to make the world a better place", this leader asserts that "Apple is at the forefront of innovation in security and, therefore, security researchers agree that the iPhone is the most secure consumer mobile device on the market.
What about Android?
According to him, “attacks like those described are very sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific people ". For Apple, these attacks "do not pose a threat to the overwhelming majority" of iPhone users.
What about Android? Google's operating system is not spared by this spyware and thousands of targets used an Android smartphone, mainly Samsung models. To infect them, the hackers also used a “zero-day” flaw present in WhatsApp. The principle was the same as with iMessage, but this time it was enough to call a contact for hacking to be possible, even if the target of the attack did not answer the call! Owner of Whatsapp, Facebook corrected the flaw and filed a complaint against NSO Group.
As early as 2018, WhatsApp executives warned that activities had been hacked by the Pegasus spyware. © LoboStudioHamburg, Pixabay, DP
Project Pegasus: the underside of a huge cyber-espionage scandal
States have installed spyware on thousands of phones of journalists and activists from fifty countries. More than 1,000 French would be part of these targets.
Published on 07/19/2021 by Louis Neveu
This is the scandal of this Sunday, July 18. During an investigation by Forbidden Stories, a vast international consortium of journalists, from seventeen newsrooms, and supported by Amnesty International, was able to recover a list of 50,000 telephone numbers targeted by spy software called Pegasus. A software which comes back punctually in the news and which has already been mentioned by Futura.
In this survey, it appears that many states use this spyware to monitor activists, lawyers, politicians, journalists and opponents around the world. Among the targets are around thirty journalists and French media bosses from the newspaper Le Monde, France Télévisions, Le Figaro and AFP. In all, more than 1,000 French people would be affected. Thirteen Heads of State or Government, including three Europeans, were also spied on via Pegasus. The 50,000 phone numbers listed are not all spied on, but are part of a list of potential targets.
The software can be implemented in different ways in the Android mobile or an iPhone: zero-day fault via an application such as iMessage or WhatsApp, direct access to the smartphone, installation via a trapped link such as malware. Once it lodges there, it is difficult to detect, since it is at the level of the phone's kernel, that is to say at the heart of the operating system, as described in an article by the cybersecurity company Lookout. No data encryption is effective in protecting against it. It therefore overrides that of applications like Signal or Telegram. In addition to recovering messages, photos, contacts and listening to calls, it can also be used to activate the mobile's microphone and camera.
The tool grafts itself into the system core and becomes undetectable. Here is a snippet of the code to trigger the mobile's microphone to record what its microphone can pick up. © Lookout
A powerful cyber weapon
This particular software is published by the Israeli company NSO Group. A company that has now become a leader in telephone monitoring. NSO Group was created by two former IDF Unit 8200 agents. A unit of hackers tracking down flaws in systems and applications to implant spyware. Despite what it claims, the survey published in Le Monde shows that the company is not always observant and sometimes sells its spyware to anyone who wants to buy it.
It has about forty States as customers, including Morocco, Kazakhstan or Azerbaijan. On the other hand, it would refrain from operating in around fifty countries and certain States deemed too sensitive. This is the case of the United States, Russia or Israel. Moreover, it is the latter who issues the authorizations to market its software and who sometimes pushes it to cross the red line for diplomatic reasons.
As the survey shows, this spyware can be seen as a real cyber-weapon to equip a small country with a tool that can be used to fight terrorism and crime, but also to control the media and opponents. Above all, this scandal shows that, unlike the arms market, the regulations governing the sale of cyber-weapons are very vague. A legal vagueness that can be dangerous when this powerful weapon is sold to a repressive state.
---
Discover TechPod, the bi-monthly summary of tech and mobility news!
---
!
Thank you for your subscription. Glad to count you among our readers!