Uncertainty 50k Pegasuszetter Zeroday: In the wake of the recent discovery and subsequent release of a list containing approximately fifty thousand potential Pegasus zeroday targets, there has been widespread confusion and, in some cases, outright controversy. The uncertainty about the nature of this list stems from whether or not it is complete. It’s not too hard to imagine that such a staggering number might represent more than just those with immediate Pegasus vulnerabilities. Indeed, the very nature of these exploits make them difficult to detect for even security experts. Clearly, the list was created from a certain point of view –it may have been drawn up with an eye toward the most likely targets. Once detected, those not on this list would be unlikely to be targeted again by criminals using the same exploit. In short, it’s likely that The Register’s source didn’t include devices that were already protected.
Even if this list is incomplete, another factor that is often overlooked is the wide variety of possible targets, making complete protection impossible. Some devices could be used to perform a denial of service attack on other targets, while others may be used as camouflage to distract attention from the real target. In addition, some devices on the list are running inactive malicious code.
The bottom line is that the negative implication that follows from the incomplete nature of this list –that many iOS and OS X users are not at risk–is unfounded. As it stands, the list is incomplete and probably an underestimate of the full total.
Many users have been disturbed by the apparent misuse of confidential information provided by The Register’s sources. To those who are concerned about potential consequences, it is important to note that The Register has made every effort to ensure that its sources remain anonymous and have worked diligently to keep their identities secret. This is in accordance with Finnish law, affording them complete protection from being identified as a source.
Beyond the security implications of this list, many users have expressed concern over the implications of a government contractor creating and using this kind of internal tool. The Pegasus surveillance tool is controlled by a government –any government–and even its existence may violate certain regulations and laws in several countries.
It is important to remember that Unit 42 is not an offensive threat intelligence research group working out of our Security Intelligence Operations Center (SIOC). Unlike many IT security vendors, we do not have an interest in selling to customers and have no market research project or product. Our goal is to provide customers with actionable threat intelligence that can be used to protect themselves and their systems. This is accomplished by identifying and describing new and unknown threats as they evolve.
Given the high incidence of targeted attacks against iOS users, we fully expect that this list could ultimately become part of the PGP Universal Windows Platform (UWP) collection. We also expect that Unit 42 will continue to investigate the nature and extent of Pegasus usage against Apple users.
Please read this blog for more information about the investigation itself, including a full list of those targeted by Pegasus.
Apple Adds FBI Warnings to iOS Devices in California [4/4/16] The FBI has achieved its objective with regard to pushing Apple into tipping its hand with regard to security considerations when it comes to encryption. The only question that remains is whether it will actually use the data to justify further charges, as some observers have predicted.
Apple won’t tell you about the FBI’s secret tool that tries to hack your iPhone [9/21/15] The company has been heavily criticized for refusing to disclose how the agency uses an All Writs Act request to force their hand in helping the FBI bypass security.
