September 2, 2016

Pegasus and Trident: Your Questions Answered

Statue of man riding pegasus while holding a trident.

Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we've received many clarifying questions from security professionals. In this series we're answering the top queries we've received to help you better understand the facts around this unprecedented mobile threat.Pegasus is a highly sophisticated piece of spyware that uses three previously unknown vulnerabilities called “Trident.” When strung together, these three vulnerabilities would allow an attacker to break out of the browser sandbox, jailbreak the device, and install the spyware. From there, the spyware can turn on the camera and mic, intercept text messages, and alter the existing apps on the device to spy on any encrypted or unencrypted data.

This is the most sophisticated mobile attack we’ve seen yet and marks a new era of mobile hacking.

In order to keep you informed about this ongoing, and concerning problem, we’ve pulled together answers to the top questions we’re receiving from security professionals.

Consider this your official hub for all things Pegasus and Trident. Read on.

So, you heard about Pegasus and Trident. Here’s what you should do now

CIOs and CISOs need to be reacting to the Pegasus attack now. The attack is arguably the most sophisticated piece of mobile spyware we’ve seen yet. Here are the top four things enterprises should do today.

Device already infected with Pegasus? Updating your OS won’t help

If an attacker has already installed Pegasus on a device, simply updating to iOS 9.3.5, the latest version of iOS, would only close the vulnerabilities used by Pegasus, not actually remove the spyware itself.

MDM solutions don’t deliver sufficient protection against Pegasus

A Mobile Device Management (MDM) solution is not by itself a sufficient protection against advanced, targeted threats like the Pegasus spyware. No existing jailbreak detection technology would have caught this threat before Lookout and Citizen Lab uncovered the techniques. This is because MDMs can only detect known jailbreak techniques and Pegasus used advanced exploits of previously unknown (zero-day) vulnerabilities to jailbreak the device. Now that these advanced techniques are publicly known, we have not observed any MDM technology that is currently able to detect them.

Encryption and VPNs alone do not protect you from Pegasus/Trident

Encryption and VPNs are excellent tools that protect sensitive data in most situations. Given the extreme sophistication of the Pegasus attack, however, these tools won’t actually protect data in this scenario. Pegasus has kernel level access to the device. This means the spyware sits in the path of all communication and information that is exchanged and intercepts it at the point at which it is decrypted.

Sophisticated, persistent mobile attack against high-value targets on iOS

Persistent, enterprise-class spyware is an underestimated problem on mobile devices. However, targeted attack scenarios against high-value mobile users are a real threat. Citizen Lab (Munk School of Global Affairs, University of Toronto) and Lookout uncovered an active threat that uses three critical iOS zero-day vulnerabilities that, when exploited, form an attack chain that subverts even Apple’s strong security environment. We call these vulnerabilities “Trident.” Our two organizations worked directly with Apple’s security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.

3 things CISOs need to know about the Trident iOS vulnerabilities

While your CEO or CTO are among those high-value targets, there are many others within your organization who could find themselves in an attackers’ crosshairs. Rank-and-file employees, such as executive administrators, with credentials to access enterprise networks are clearly perceived as valuable targets by global threat actors. Unprotected employee mobile devices with access to sensitive corporate data are now likely to be the lowest hanging fruit for attackers looking to breach an enterprise.

Congressman urges “congressional hearing” after Trident iOS vulnerability discovery

After news of the Trident vulnerabilities broke, Congressman Ted Lieu issued a statement urging the U.S. government to pay closer attention to mobile security. Congressman Lieu’s comments follow a trend of individuals and agencies calling for attention on mobile security. The White House Digital Government Strategy, the DoD Mobile Device Strategy, and NIST's Mobile Device Security for Enterprises Building Block document urge agencies to adopt and secure mobile technology to improve service and enhance effectiveness.

Authors

Lookout

Cloud & Endpoint Security

Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.

Threat Type
Spyware
Entry Type
Threat Summary
Platform(s) Affected
iOS
Platform(s) Affected
Android
Discovered By
Lookout
Platform(s) Affected
Spyware
Threat Summary
iOS
Android
Lookout

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell