OUR SERVICES
The Pegasus case highlighted the weaknesses of a "closed" security model like Apple's: to limit the enormous attack surface generated by the capabilities of smartphones and global supply chains, we need a layered defense and special protection designed from scratch
26 Jul 2021IPierguido IezziSwascan Cybersecurity Strategy Director and Co FounderThe news has been circulating for a few days: a zero-day and zero-click vulnerability (i.e. that does not require user interaction) for Apple has been included in the now famous Pegasus spyware used by some governments (including Hungary's Victor Orban) as a tool of espionage and surveillance against hundreds of business leaders, religious figures, academics, NGO employees, union officials and government officials, including ministers, prime ministers and presidents.
This has sparked a series of reactions both among those who say they are concerned about security in the “closed” iOS ecosystem and among those who object to the release of yet another version of this software already used in the past to monitor political activists and journalists.
We must remember that Pegasus is not the result of the work of a criminal hacker, but of an Israeli security company (NSO Group). Since its initial discovery in 2016, Pegasus has continued to evolve, making it easier and easier to infect mobile devices.
In fact, this isn't even the first zero-day zero-click used by spyware, but the software today is so advanced that it can run on the target mobile device without requiring any user interaction, which means that the operator only needs to send the malware to the device.
A disturbing prospect - considering the number of apps iOS and Android devices have with messaging capabilities - as Pegasus could be injected into the smartphone through SMS, email, social media, third party messaging, games or dating applications.
Index of topicsApple's “walled garden” isn't enough to protect us
This is a problem. Especially since, being a closed ecosystem, Apple's source code is not publicly available for review and search for any bugs that can be exploited by malware and spyware such as Pegasus.
WHITEPAPERWhat are the strategies to follow to defend against phishing attacks? SecurityCybersecurityDownload the WhitepaperIt must be said that Apple has its own dedicated bug bounty program that allows independent researchers and developers to receive recognition and cash rewards if they can identify and report any bugs, especially those related to exploits and vulnerabilities.
But, unlike other big techs and despite Apple being one of the richest multinationals in the world, the "bounties" on bugs are really negligible: for an exploit of the caliber of Pegasus, for example, the reward is about 250 thousand dollars, as much as enough to barely cover the wages of a team that can track him down.
If we add to this the difficulties in successfully searching for the weaknesses of a device that cannot be "disassembled" either physically or digitally (precisely because it is "closed", as we said at the beginning), it is understandable why vulnerabilities can remain hidden from attackers longer, but at the same time they may also not be as readily detected and reported by security researchers.
In addition to ensuring the security and integrity of its software, Apple also faces the added challenge of doing the same for millions of third-party applications submitted to the App Store.
The Cupertino company, especially in recent months, has made consumer safety and privacy a real workhorse.
Precisely to secure the App Store, for example, Apple has introduced the concept of the walled garden, the walled garden that keeps malware and malicious codes of all kinds at bay thanks to security policies that prevent the installation of widespread third-party apps. outside the official store.
But Apple must recognize that everyone's safety may require third party help.
It is evident, in fact, that if an app discovers how to escape this sandbox, then the security model reverses in favor of criminal hackers. It is true that an iPhone is still a more difficult target than a Mac or PC, but at least on the latter it is possible to analyze the list of running processes or the logs of firewalls and security software and notice any anomalies in traffic in time. Internet. However, if an iOS device were to be compromised, the breach could remain almost completely unnoticed.
Compounding the situation, the fact that the iOS iMessage service (which, apparently, was the weak point exploited by Pegasus to enter target systems undisturbed) is not perfect from a security point of view.
Apple has been adding more and more features to it, and as all developers know, each piece of functionality carries a potential exploitable vulnerability.
Furthermore, the fact that iMessage does not distinguish how it handles incoming messages from known or unknown contacts leaves an open chasm for possible exploits. To understand this, accepting and processing messages from anyone is the equivalent of managing a network connected to the Internet without a firewall.
iOS and iPhone favorite targets of Pegasus
As we know, Pegasus spyware is designed to target both Android and iOS, even though Apple's operating system seems to be the most targeted by criminal hackers and government agencies.
The reason is obvious: while it is true that Android is the operating system with the highest numbers in terms of market penetration, it is equally true that iPhones have a disproportionately high market share among many of the demographic groups they "target". ”The customers of NSO Group.
As we know, in fact, iPhones actually preside over the upper levels of the market, having sales prices beyond the reach of most users who use smartphones, but certainly accessible to politicians, activists and journalists who are victims of espionage and surveillance actions.
In addition, iPhones have a strong reputation for security: Apple's efforts have always been aimed at preventing or at least complicating iOS hacking, ensuring that software downloads were easy and safe, and that the installation of security updates. was the norm.
For these reasons, iPhones have so far been the favorite mobile devices for those who fear, for the work they do or for their civil commitment, of being the victim of cyber espionage actions. And, unfortunately, even from those who these same people want to spy on them.
The ethical question
As for the NSO Group, the company claims that Pegasus was born with a legitimate function: to help law enforcement and government agencies track down terrorists and potential threats.
On the other hand, according to Amnesty International, the software was sold to oppressive regimes for anti-democratic purposes.
Sure, there will always be users who will try to reuse its functionality for their own purposes, but this is an unfortunate reality. It doesn't matter how smart the developer is; he can never fully comprehend the full spectrum of uses that his ideas of him will be able to satisfy in the future.
A treasure in your pocket
One thing we can agree on is the growing threat of mobile attacks and the fact that there is little that can be done to combat zero-click threats that require no user interaction other than to apply. patches as they are released.
In our world 4.0, surrounded by technology, where we are closely connected to digital devices, it is no surprise that this type of software exists to be used by law enforcement or other entities.
We keep our contact lists, emails, text messages and other private digital correspondence in our pockets and our trust and comfort level with them can make us oblivious to the risks involved in keeping this information safe.
People no longer need to break into our homes to get sensitive data - they just need to send a malicious email or convince us to download an infected application.
The breadth and depth of smartphone capabilities and extensive global supply chains create a huge attack surface.
The incentive and value of hacking a smartphone are off the charts even compared to the classic PC.
People now carry a microphone, camera, and tracker around with them all day, as well as the data on the phone itself and the communication this enables.
These facts amount to poor prospects that the phone will ever be safe against well-armed and skilled and above all goal-focused attackers.
We need layered defense and special protection designed from the ground up to achieve a very specific purpose: safety and security.
Closed systems like Apple's cannot be the way to the future.
Let's not let our guard down.
WHITEPAPERGDPR certifications: all the advantages for the organizations that adhere to itLegalPrivacyDownload the White PaperDownload the Whitepaper