This week, news broke about Apple's spyware vulnerability following the identification of a security flaw in the company's operating system.
The situation required the urgent release of a security patch on all devices, including iPads and iPhones.
This incident reminds us that even the most widely used and popular technologies are vulnerable to attacks by experienced hackers. We must accept this fact as soon as possible and resolve the fundamental problems.
About the authorToby Lewis, Darktrace's Global Head of Threat Analysis.
In this case, Apple was notified of the vulnerability by Citizen Lab, a computer science research unit at the University of Toronto. Researchers were examining the cell phone of a Saudi activist when they discovered a vulnerability potentially (and possibly actually) used by customers of NSO Group, the Israeli spyware company, to "invisibly" hack iPhones and other Apple devices. from February 2021.
As we know, Apple is a brand with a strong spread all over the world (for example in the UK it holds a 50% share of all smartphones on the market), as a result millions of people rushed to update their devices to protect themselves. from the vulnerability in question, which could be exploited through Apple's iMessage app, a system known to be safe and secure.
Was the patch effective?
What is evident is that the way we have dealt with security over the past two decades is no longer sufficient to deal with today's cyber threats.
After Apple was notified of the exploit, the company moved very quickly to implement a patch. Apple's timeliness underscores both the gravity of the discovery and the company's commitment to security.
However, patching today is an endless mouse hunt characterized by not always constant effectiveness. The complexity of the digital world is so high that it is difficult to get a complete picture of the situation, and it is probably something impossible for us humans without technological support. Hackers are constantly looking for innovation and increasingly professional ways of acting, gathering in international organizations and investing time and resources in the search for new entry points. As soon as targets patch a vulnerability, a new one is immediately identified.
Also, while patches fix vulnerabilities, they still can't stem the damage done by those already exploited, or undo the breaches that have already occurred. Furthermore, they cannot interrupt an ongoing attack, in which hackers are already able to move around the system and extract sensitive data.
Patches alone are not an adequate defense mechanism, as they only act on known vulnerabilities, thus always remaining one step behind. On the other hand, how could they ever eliminate still unknown weaknesses?
In today's world of cyber threats, human-only security teams cannot predict all potential flaws in a given technology.
For this reason, cyber security defense systems only act reactively (when a breach occurs), rather than attempting to stem the threat and neutralize it before the damage is done. Building a "wall" around a perimeter doesn't work against advanced attacks: Targets need technology that can detect when breaches are being exploited, including those that human operators were completely unaware of. Equally essential is the presence of a technology capable of interrupting attack activities autonomously, before the data ends up in the wrong hands.
How does Pegasus spyware work?
Pegasus uses a variety of exploits to gain access to a device. These exploits are customizable based on the target or "attack campaign". In essence, users have access to several vulnerabilities that plague Apple and Android. These allow them to take advantage of some native apps (sometimes just opening a file sent by email or SMS, or clicking on a link that opens in Safari or other browsers) to perpetrate the attack.
In this case, the identified exploit was of the "zero-click" type, a type that does not even require the recipient of a malicious message to open the attachment in order for the device to become infected. The exploit allows hackers to execute their own code, including the code for installing Pegasus spyware components. The latter, in turn, is able to activate the cameras and microphone of the device, as well as record SMS, e-mails and calls, and then share them with NSO Group customers.
Who were the targets?
Exploits like this are very sophisticated, and it is not surprising that prime targets are often individuals with access to confidential information, such as espionage agents, politicians and journalists. In today's world, "high-level individuals" know that their name is on some list of targets to hit, and if they don't know it they should realize it as soon as possible and take all precautions to avoid being hit.
Using the form of a commercially available cyber espionage toolkit, NSO has reduced the technical barriers to entry, allowing different organizations to perform cyber-attacks on their targets, giving anyone with the right budget access to functionalities and techniques of the highest level. And as we saw with Red Teaming's CobaltStrike tool, it's only a matter of time before we see a "cracked" version online. Therefore, while such attacks do not appear as an immediate threat to the average Apple user, once such tools are created, they tend to spread like wildfire.
For example, criminals could use access to steal personal data for more important purposes, to scam victims, or even block users en masse and demand ransom in the form of a ransomware attack to unlock them.
Once a spyware is invented, its spread is no longer controllable and can spread rapidly around the world. If it gets into the wrong hands, uses can be nefarious, just as the targets hit can become a much larger group of subjects. We must accept that when it comes to hacking tools, the possibilities are endless and the most innovative hackers will always find ways to carry out their attacks.
How safe is Apple, even compared to the Android world?
Companies like Apple are a very attractive target for hackers. Its technologies and devices are present in every area of society.
From navigating through maps to logging into bank accounts, smart devices are increasingly part of our daily activities and store staggering amounts of personal data.
Apple's security architecture is based on the so-called "walled garden", a system in which the operating system behind the smartphone is completely inaccessible to third-party apps. Such apps are only installable through the official App Store and run from an isolated area of storage and computing resources.
Given the severity with which apps are scanned for approval and listing in the App Store, the only effective way to install malware on an Apple device is to exploit the operating system, a process also known as jailbreaking.
The Android architecture, on the other hand, gives users more freedom to install apps, without the protection mechanisms adopted by Apple. Even on the official Google Play app store, verification and moderation for apps is limited, which increases the risk of installing malware without overly complicated exploits. Either way, Pegasus finds itself loaded into some Android-specific exploits, similar to those used to target Apple devices.
Apple has always worked with researchers to identify exploits and quickly patch them. But that doesn't always help customers who have already suffered the consequences of an attack.
How to stay protected, then?
Patch distribution is a fundamental part of cybersecurity procedures, as it protects the organization and users of the technologies from known vulnerabilities. However, patches have limited effectiveness against the new, more sophisticated attacks, and hackers today are always faster at creating new threats than security officers are at intervening with fixes.
Modern businesses and high-risk individuals will always be on a target list, but once a given malware spreads, any user of a given smartphone can become the next victim. Technology opens up many opportunities for us to improve the way we work and communicate, but it inevitably introduces security risks and this is a fact of today's digitized society that we must accept.
There is no way to stop hackers from gaining access to critical systems forever, but what we can do is stop the threat, reduce the damage, and prevent personal data from falling into the hands of the bad guys. Machine learning AI enables organizations to detect hostile activity on employee devices before a sensitive data breach occurs.
In essence, cutting-edge technologies are fundamental for countering threats: humans have limited resources and capabilities, and the autonomous and rapid action of artificial intelligence is increasingly necessary to identify and stop threats before they it's too late.