Researchers: NSO Group’s Pegasus Spyware Should Spark Bans, Apple Accountability - silversurfer - 21 July 21
Quote:News of a zero-click zero-day in Apple’s iMessage feature being incorporated into the notorious Pegasus mobile spyware from NSO Group has drawn a variety of reactions from the security community, including concerns about the security of Apple’s closed ecosystem, and varying views on NSO Group’s culpability for how Pegasus is used.
Since its initial discovery by Lookout and Citizen Lab in 2016, Pegasus has continued to evolve, making it easier and easier to infect mobile devices, noted Aaron Cockerill, chief strategy officer at Lookout. In fact, this isn’t even the first zero-click zero-day used by the surveillance solution.
“It has advanced to the point of executing on the target’s mobile device without requiring any interaction by the user, which means the operator only has to send the malware to the device,” he told Threatpost. “Considering the number of apps iOS and Android devices have with messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming or dating apps.”
That’s a problem, he said, especially given that as a closed ecosystem, Apple’s code is not publicly available for review and bug hunting (though Apple does have a private bug-bounty program).
“This means vulnerabilities may remain undiscovered by attackers for longer, but they may also not be so readily discovered and reported by security researchers and other responsible parties,” Cockerill said. “On top of ensuring the security and integrity of its own software, Apple faces the additional challenge of doing the same for millions of apps developed by third parties and submitted to the App Store.”
He added, “Apple aims their statements about security and privacy at consumers. However, the majority of the individuals targeted by the NSO group are not categorized as typical consumers and Apple needs to recognize that securing these individuals may require help from third parties.”
Read more: Researchers: NSO Group's Pegasus Spyware Should Spark Bans, Apple Accountability | Threatpost
|