Israeli surveillance software Pegasus targets cloud data on infected iPhones

Israeli company NSO Group claims its updated multi-million dollar surveillance tool, called Pegasus, can now also extract data from cloud services like iCloud, Google Drive and Facebook Messenger, among others, from an infected iPhone or Android smartphone.

According to a paywall’d report published yesterday by The Financial Times, the app works on the latest iPhone and Android smartphones, taking advantage of exploits to continue working even after the tool has been removed by the user.

The new technique is said to copy the authentication keys of services such as Google Drive, Facebook Messenger and iCloud, among others, from an infected phone, allowing a separate server to then impersonate the phone, including its location. This grants open-ended access to the cloud data of those apps without ‘prompting 2-step verification or warning email on target device’, according to one sales document.

Stealing authentication tokens is an old technique of gaining access to someone’s cloud account without needing their user name, password or two-step verification codes. Unlike the encryption keys iOS uses to secure your local data, these authentication tokens are not stored in Apple’s Secure Enclave which is walled off from the rest of the system.

Here’s Apple’s response:

iOS is the safest and most secure computing platform in the world. While some expensive tools may exist to perform targeted attacks on a very small number of devices, we do not believe these are useful for widespread attacks against consumers.

Curiously, Apple doesn’t deny such a capability could exist. The tech giant added that it regularly updates its mobile operating system and security settings to keep users protected.

While NSO Group denied promoting hacking or mass-surveillance tools for cloud services, it didn’t specifically deny it’d had developed the capability described in the documents.

Crucially, the tool works on any device “that Pegasus can infect”.

One pitch document from NSO’s parent company, Q-Cyber, which was prepared for the government of Uganda earlier this year, advertised the ability of Pegasus to ‘retrieve the keys that open cloud vaults’ and ‘independently sync-and-extract data’.

Having access to a ‘cloud endpoint’ means eavesdroppers can reach ‘far and above smartphone content’, allowing information about a target to ‘roll in’ from multiple apps and services, the sales pitch claimed. It is not yet clear if the Ugandan government purchased the service, which costs millions of dollars.

Take NSO Group’s claims with a grain of salt.

This isn’t the first time someone made bold claims as to bypassing the security features of Apple’s custom-designed chips and the iOS software powering iPhone and iPad. It’s true that law enforcement doesn’t shy away from paying millions of dollars in fees for rights to use such software. It’s also true that the FBI eventually turned to Pegasus  in order to unlock a phone belonging to the San Bernardino shooter. However, it’s also true that this was an older iPhone without Apple’s Secure Enclave cryptographic coprocessor which provides full disk encryption and hardware protections for the disk encryption keys.

Yet, tools like Pegasus might have been used to hack even modern iPhones, but that’s because their owners were foolish enough to install a rogue app that included malware. Other techniques include installing an invisible VPN to sniff network traffic, cracking a weak passcode or exploiting a major oversight on a user’s part which can open an attack vector.

It doesn’t look like Pegasus exploits an iOS vulnerability to get to your cloud data.

One of the pitch documents offered an old-fashioned way to thwart this kind of eavesdropping: changing an app’s password and revoking its login permission. That cancels the viability of the replicated authentication token until, according to the document, Pegasus is redeployed.

Yes, iOS exploits do exist and some of them get never disclosed, but Apple’s aggressive software update mechanism installs patches swiftly. To my knowledge, no security company has yet to claim unambiguously that it can hack into the latest iPhones.

Pegasus was recently used to hack WhatsApp via an undisclosed vulnerability. WhatsApp has since closed the loophole and the US Department of Justice is investigating.

Thoughts?