< Return to Video

Pegasus internals (33c3)

  • 0:00 - 0:01
    [Translated by {Iikka}{Yli-Kuivila}
    (ITKST56 course assignment at JYU.FI)]
  • 0:01 - 0:14
    33C3 preroll music
  • 0:14 - 0:18
    Herald: The Max is a security researcher
    at Lookout has been doing this about 10
  • 0:18 - 0:23
    years, he spent a lot of time in
    obfuscation, exploit development, security
  • 0:23 - 0:28
    research, previous Black Hat speaker,
    currently focused on mobile security
  • 0:28 - 0:34
    research and working on his PhD. He'll be
    telling you about some of the internals of
  • 0:34 - 0:38
    Pegasus malware today. With that, I will
    turn over to Max to take it away.
  • 0:38 - 0:40
    Max: Thank you.
  • 0:40 - 0:47
    applause
  • 0:47 - 0:52
    M: Hi, everyone, say my name
    is Max Bazaliy, and today we'll talk about
  • 0:52 - 0:58
    the Pegasus Internals. I'm from Kiev,
    Ukraine, currently work as a security
  • 0:58 - 1:02
    researcher at Lookout and last few years
    focused on a jailbreak techniques. So
  • 1:02 - 1:07
    that's why I co-founded the Fried Apple
    team and we're working on a various
  • 1:07 - 1:13
    iOS jailbreak, including eight and nine.
    So Pegasus. Pegasus is a high quality
  • 1:13 - 1:20
    espionage software that can be used for
    complete surveillance of a device. Just
  • 1:20 - 1:24
    everything from stealing your personal
    data up to remotely activating a
  • 1:24 - 1:31
    microphone or camera on a device without
    any indication it's really happening. So
  • 1:31 - 1:36
    in order Pegasus to work, it need to
    jailbreak a device first because the iOS
  • 1:36 - 1:41
    sandbox prevents application from spying
    on each other. So that's why Pegasus rely
  • 1:41 - 1:49
    on a trident exploit chain to completely
    own a device and install persistence that
  • 1:49 - 1:55
    can be used on each device. Here's a
    really terrifying list of targeted apps,
  • 1:55 - 2:03
    including even the known as most secure
    ones, like Telegram, WhatsApp, Viber. And
  • 2:03 - 2:08
    I'm pretty sure you can find your favorite
    messenger in this list. Before going into
  • 2:08 - 2:12
    a deep technical analysis of the
    vulnerabilities used, I want to tell a
  • 2:12 - 2:18
    story how we get it - a Pegasus sample. So
    police met Ahmed Mansoor, who's mostly
  • 2:18 - 2:23
    known for his job as a human right
    defender. He's even a recipient of Martin
  • 2:23 - 2:29
    Ennals award, sometimes called the Nobel
    Prize for Human Rights. So I understand
  • 2:29 - 2:40
    this year Ahmed received a message with a
    text that someone in a state prison got -
  • 2:40 - 2:46
    someone is imprisoned in a state prison.
    So and he received another text with a
  • 2:46 - 2:52
    similar thing the next day. But previously
    he was targeted by hacking team in 2012
  • 2:52 - 2:59
    and got FinFisher in 2011. So now, instead
    of clicking on the link, he contacted the
  • 2:59 - 3:03
    Citizen Lab because he was working with
    those guys before. So he sent a link for
  • 3:03 - 3:09
    Citizen Lab to analysis and we are in
    Lookout research team. We get initial
  • 3:09 - 3:14
    sample and a link from a Citizen Lab. So
    in this story, I mostly will focusing
  • 3:14 - 3:24
    about technical, part. So in order to work
    - Pegasus rely on the Trident exploit
  • 3:24 - 3:30
    chain and it uses three stages. So on the
    first stage, it uses a memory corruption
  • 3:30 - 3:35
    to achieve a remote code execution in a
    Safari context. After that, it jumps -
  • 3:35 - 3:39
    after this on a device - it jumps to a
    second stage and uses two vulnerabilities
  • 3:39 - 3:42
    to exploit the kernel. One is used for by
    - by the Kernel Address Space layout
  • 3:42 - 3:48
    randomisation and another to achieve
    kernel - a remote - a kernel code
  • 3:48 - 3:52
    execution kernel level code execution.
    And finally, on the third stage it
  • 3:52 - 3:58
    installs espionage software and uses a
    special trick to achieve on device
  • 3:58 - 4:03
    persistence. So I will focus on each stage
    more detailed. The first stage, as they
  • 4:03 - 4:09
    say, is a single use spear-phish url that
    will be invalidated after the first click.
  • 4:09 - 4:14
    It contains obfuscated JavaScript that
    first thing it do it checking for a device
  • 4:14 - 4:20
    type: Is it iPhone, is it iPad, is it 32
    or 64 bit. And based on information about
  • 4:20 - 4:26
    device processor type the different
    versions of shellcode will be downloaded.
  • 4:26 - 4:30
    Which is in stage two. And finally
    exploits remote code execution
  • 4:30 - 4:35
    vulnerability in a webkit in order to
    execute the shellcode. So what
  • 4:35 - 4:43
    vulnerability will it use it? CVE 4657
    remote code execution in WebKit. Basically
  • 4:43 - 4:47
    the vulnerability is use after free that
    achieved by using two bugs and in a sample
  • 4:47 - 4:53
    that we got it's not stable because it
    relies on WebKit garbage collector. The
  • 4:53 - 4:58
    problem itself lives in a -
    MarkedArgumentBuffer that can be exploited
  • 4:58 - 5:02
    by usage of the defined properties. So
    defined properties is a method that
  • 5:02 - 5:08
    defines new or modified properties
    directly on object. It takes a few
  • 5:08 - 5:14
    arguments and the object itself and the
    properties objects which can have
  • 5:14 - 5:21
    descriptors that constitute the property
    to be defined or modified. It have a
  • 5:21 - 5:26
    pretty simple algorithm, it contain few
    loops on the very first iteration of each
  • 5:26 - 5:30
    property descriptor checking for a
    formatting and after that get appended to
  • 5:30 - 5:36
    a descriptor's vector and to make sure
    that the reference to property descriptors
  • 5:36 - 5:40
    do not become stale, they need to be
    protected from being garbage collected.
  • 5:40 - 5:45
    For this purpose MarkedArgumentBuffer is
    used. We see it at the very very end,
  • 5:45 - 5:50
    MarkedArgumentBuffer append. So
    MarkedArgumentBuffer prevents objects from
  • 5:50 - 5:59
    being deallocated. And after each property
    -get has been validated and it's okay, the
  • 5:59 - 6:03
    defineOwnProperty associate each user
    supplied property with a target object.
  • 6:03 - 6:08
    And here is a problem, because it's possi-
    ble when the defineProperty will be called
  • 6:08 - 6:14
    it's possible to call any user defined
    JavaScript methods. If in these JavaScript
  • 6:14 - 6:20
    methods garbage collection can be
    triggered, it will deallocate any unmarked
  • 6:20 - 6:26
    heap-backed object. I will go a little bit
    deeply in the details. First of all, a few
  • 6:26 - 6:30
    words about MarkedArgumentBuffer and
    JavaScript garbage collector. So
  • 6:30 - 6:34
    JavaScript garbage collector is respon-
    sible for deallocating an object from
  • 6:34 - 6:38
    a memory when they are no longer
    referenced. It runs at a - random
  • 6:38 - 6:43
    intervals and based on the current memory
    pressure, the current device types and so
  • 6:43 - 6:49
    on. And when garbage collector checking if
    objects should be deallocated, it walks
  • 6:49 - 6:53
    through the stack and check for reference
    to an object. A reference to an object
  • 6:53 - 6:58
    also may exist in the application heap,
    but in this case an alternative is used
  • 6:58 - 7:04
    called the slowAppend. So
    MarkedArgumentBuffer is initial inline
  • 7:04 - 7:11
    stack contains eight values. Well, that's
    mean when the ninth value will be added to
  • 7:11 - 7:16
    the MarkedArgumentBuffer the capacity will
    be expanded. It will be moved from a stack
  • 7:16 - 7:26
    memory to a heap memory. This is what the
    slowAppend is doing. SlowAppend move stack
  • 7:26 - 7:32
    from a - move buffer from a stack to a
    heap, and now object not automatically
  • 7:32 - 7:37
    protected from a garbage collection. And
    to make sure they were not deallocated,
  • 7:37 - 7:46
    they need to be added to heap's
    markListSet. This is what we see here. So
  • 7:46 - 7:50
    slowAppend trying to acquire heap context
    and it can be acquired adding an object
  • 7:50 - 8:00
    like, marking an object into markListSet.
    And here is a problem, because when the
  • 8:00 - 8:03
    heap context can be acquired, it can be
    acquired for a complex object, only for a
  • 8:03 - 8:08
    complex object. So this mean for primitive
    types like integer, booleans and so on,
  • 8:08 - 8:14
    they're not heap backed object and they'll
    be not marked as a markListSet. And there
  • 8:14 - 8:20
    is a bug in the slowAppend. We should be
    able to call it just once. So this mean
  • 8:20 - 8:28
    when the buffer will be moved from a stack
    memory to a heap memory and one of the
  • 8:28 - 8:32
    properties will be a simple type, like an
    integer, so they're not automatically
  • 8:32 - 8:36
    protected by garbage collection and all
    the next corresponding values will be not
  • 8:36 - 8:42
    protected as well because of the bug in
    the slowAppend. Here is a picture that's
  • 8:42 - 8:47
    illustrating it and in reality the
    reference to JavaScript objects still
  • 8:47 - 8:53
    exist. But if, uh, in a in a call to
    definedOwnProperty method, any of the user
  • 8:53 - 8:57
    supplied methods will be called, they
    can remove this reference and object will
  • 8:57 - 9:03
    be deallocated. So to summarize, all the
    information here is how it can be
  • 9:03 - 9:10
    exploited. So we specify an props object
    which contain 12 descriptors and first
  • 9:10 - 9:16
    nine of them values are simple typed, like
    zeroes, eight. Which mean that p8, which
  • 9:16 - 9:23
    is the ninth value bit will be added to
    markListSet. It will trigger the
  • 9:23 - 9:29
    slowAppend and the buffer will be moved
    from a stack to a heap. And the next
  • 9:29 - 9:34
    corresponding value is just - length and
    which not_number and array will be not
  • 9:34 - 9:37
    marked by markListSet and not
    automatically protected by garbage
  • 9:37 - 9:44
    collection. What happened next, when
    different properties will be called on the
  • 9:44 - 9:49
    length property and you'll try to convert
    not_number to a number which for that
  • 9:49 - 9:54
    user's defined it toString method will be
    called. The toString method remove the
  • 9:54 - 9:58
    last reference for an array and forces the
    garbage collection cycle by allocating a
  • 9:58 - 10:04
    large amount of memory. Which leads that
    object will be deallocated by garbage
  • 10:04 - 10:08
    collector. The very next thing it is doing
    is reallocate the new object over a stale
  • 10:08 - 10:14
    one. So this is how specially crafted use
    after free was used in Safari to achieve
  • 10:14 - 10:20
    remote code execution and to execute a
    shellcode. The shellcode exist in a second
  • 10:20 - 10:25
    stage, which is a payload which contained
    the shellcode and compressed data. The
  • 10:25 - 10:28
    most interesting for us is the shellcode
    because it's used for a kernel
  • 10:28 - 10:34
    exploitation in Safari context and the
    compressed data basically is a loader
  • 10:34 - 10:39
    that downloads and decrypts the next
    stage. One of the vulnerabilities used is
  • 10:39 - 10:46
    a CVE 4655, which is a info leak that's
    used to bypass a kernel address layout
  • 10:46 - 10:51
    randomization. It exploits the information
    that constructor and OSUnseralizeBinary
  • 10:51 - 10:58
    method they miss bound checking. So that
    mean that attacker can create OSNumber
  • 10:58 - 11:02
    object with a really high number of bits
    and call it within the application sandbox
  • 11:02 - 11:06
    where
    io_registry_entry_get_property_bytes.
  • 11:06 - 11:11
    Here's how it looked like. So
    OSUnseralizeBinary method to handle binary
  • 11:11 - 11:16
    serializations in a kernel. It converts a
    binary format to basic kernel data object.
  • 11:16 - 11:22
    It supports different container types,
    sets, dictionaries, array, object types,
  • 11:22 - 11:27
    strings, numbers and the point of interest
    in this is the OSNumber. So as we see
  • 11:27 - 11:34
    here, it passed two arguments: value and
    length and there is no real check that for
  • 11:34 - 11:40
    - for length property. So this mean we can
    control the length that is passed to an
  • 11:40 - 11:45
    object. And why it is a problem, because
    here is a constructor for OSNumber:init
  • 11:45 - 11:52
    and as we see the length property passed
    here is newnNumberOfBits and it
  • 11:52 - 11:56
    overrides the size variable. And the
    problem that size is used in other
  • 11:56 - 12:02
    methods, in a case that OSNumber
    numberOfBytes, which leads it return value
  • 12:02 - 12:08
    of numberOfBytes is now fully controlled
    by attacker. Which is real bad because
  • 12:08 - 12:12
    it's used next in
    io_registry_entry_get_property_bytes which
  • 12:12 - 12:18
    handle OSNumbers and its use numberOfBytes
    to calculate the object's length, the
  • 12:18 - 12:24
    OSNumber length. But unfortunately it use
    a stack based buffer to parse and save
  • 12:24 - 12:32
    OSNumber value. And what happened next, it
    is copying memory from kernel stack to
  • 12:32 - 12:37
    heap used the attacker controlled length.
    Which mean we can specify how many bytes
  • 12:37 - 12:44
    will be copied from a kernel stack and
    returned to user land. This is what
  • 12:44 - 12:53
    happens: the first thing we are doing, we
    are create a properties array that have a
  • 12:53 - 13:00
    dictionary which have a OSNumber with a
    high length in our case, is 256. Next, we
  • 13:00 - 13:05
    need to spawn the user client by calling
    IOService open extended, which will
  • 13:05 - 13:11
    deserialize this OSNumber object and crea-
    te this object in the - in the kernel. And
  • 13:11 - 13:16
    now we need to read it by calling the
    IORegistryEntryGetProperty, which leads it
  • 13:16 - 13:23
    - we copied the 256 bytes of the kernel
    stack memory and the kernel stack memory
  • 13:23 - 13:27
    will contain kernel pointers. And from a
    kernel pointer, we can determine the
  • 13:27 - 13:33
    kernel base. So now we get a kernel base
    and we can jump to the next vulnerability,
  • 13:33 - 13:40
    which is CVE 4656 it is use-after-free to
    achieve kernel level code execution. It
  • 13:40 - 13:44
    exploits information because the
    setAtIndex macro does not really retain an
  • 13:44 - 13:48
    object and we can trigger it within the
    application sandbox from
  • 13:48 - 13:57
    OSUnserializeBinary. Again the
    OSUnserializeBinary it's a function that
  • 13:57 - 14:02
    parse and deserialize objects in the
    kernel - it support different data types -
  • 14:02 - 14:07
    different container types. And the
    interesting thing it supports kOSSerialize
  • 14:07 - 14:12
    object. It means that we can create a
    reference to another object. Really
  • 14:12 - 14:18
    useful in the future, because in a way of
    deserializing and parsing objects
  • 14:18 - 14:24
    OSUnserializeBinary saved object pointer
    to a special objects array. And using
  • 14:24 - 14:29
    setAtIndex for it. And as we see
    setAtIndex just save object pointer to
  • 14:29 - 14:37
    array with some index not retaining it.
    It's bad, because the next code, which
  • 14:37 - 14:44
    casting OSString to a OSSymbol it is
    releasing the object pointer. What does it
  • 14:44 - 14:49
    mean? We still have an array that holds
    all the object pointers, which is objects
  • 14:49 - 14:56
    array, and we just released one of the
    objects but still hold the pointer. If we
  • 14:56 - 15:00
    can create a reference to an object we can
    exploit use-after-free. This is what
  • 15:00 - 15:04
    happens because kOSSerializeObject allows
    us to create a reference and we will just
  • 15:04 - 15:09
    call retain on already deserialized,
    already deallocated object. This is how
  • 15:09 - 15:14
    exploit look like. So first of all, we
    create OSdictionary and it will contain a
  • 15:14 - 15:20
    string that due the bug will be
    deallocated. So now we need to reallocate
  • 15:20 - 15:28
    it with our controlled object to fit in
    the same memory spot. It's OSString in our
  • 15:28 - 15:35
    case, OSString class in a memory will be
    32 bytes. We need to allocate the same
  • 15:35 - 15:40
    size. For this purpose OSData is a perfect
    candidate because we can control OSData
  • 15:40 - 15:46
    buffer, buffer size and buffer content. So
    what we can do, we can create a fake
  • 15:46 - 15:51
    OSString with a fake vtable and this fake
    vtable will point to some digits in the
  • 15:51 - 15:56
    kernel. The very last thing we need to do
    is trigger a user-after-free by adding a
  • 15:56 - 16:02
    kOSSerializeObject. So once again,
    OSString got deserialized, deallocated,
  • 16:02 - 16:05
    reallocated to a new object, which is
    OSData buffer, which will point to the
  • 16:05 - 16:13
    same memory spot: we've got a use-after-
    free. So after getting use-after-free,
  • 16:13 - 16:20
    Pegasus uses some kernel patches to
    disable security checks like setuid to
  • 16:20 - 16:26
    easily escalate the privileges, bypass
    amfi checks by patching out
  • 16:26 - 16:32
    amfi_get_out_of_my_way, disable code
    signment enforcement by patching
  • 16:32 - 16:36
    cs_enforcement_disable variable and
    finally, a remount the system partition to
  • 16:36 - 16:42
    be readable, & writable so it can execute
    a loader for the next stage to download
  • 16:42 - 16:51
    and decrypt the next stage. The next stage
    contain the real espionage stuff that will
  • 16:51 - 16:59
    be used to sniff all the like SMS, all the
    calls, all the like personal data. It have
  • 16:59 - 17:09
    a three groups. One is a process group
    which have a main process: sniffing
  • 17:09 - 17:15
    services model that use a SIP protocol to
    communicate with command control like a
  • 17:15 - 17:20
    process manager and so on. The next
    interesting thing is a group of the
  • 17:20 - 17:25
    dylibs, because Pegasus rely on the Cydia
    substrate - the jailbreak framework called
  • 17:25 - 17:29
    - they renamed it as libdata. It uses
    Cydia substrate to inject dynamic
  • 17:29 - 17:34
    libraries into application process. So in
    our case, we have a dynamic libraries for
  • 17:34 - 17:38
    Viber, for Whatsapp which can be injected
    into the application space to install
  • 17:38 - 17:45
    application hooks. And the last thing is
    com.apple.itunesstored file. Which is a
  • 17:45 - 17:54
    JavaScript that contain code and the
    shellcode that will execute - that can
  • 17:54 - 18:00
    execute unsigned code. I will focus on it
    next. So the bug exists in a JSC binary.
  • 18:00 - 18:07
    JSC binary is like a helper for JavaScript
    core, JavaScript and in Apple. And
  • 18:07 - 18:12
    it can lead to unsigned code execution. In
    combination with rtbyddyd trick it can be
  • 18:12 - 18:19
    used to completely gain persistence on the
    device. It exploits that it is a bad cast
  • 18:19 - 18:25
    in setEarlyValue method and fortunately it
    can be triggered only from Jesty
  • 18:25 - 18:32
    application context. So what is a problem?
    It exploits the problem in JavaScript
  • 18:32 - 18:37
    binding SetImpureGetterDelegate which have
    in C++ for function
  • 18:37 - 18:41
    SetImpureGetterDelegate. This function
    takes a few arguments - one is the
  • 18:41 - 18:48
    impureGetter and the second one is a
    generic isObject that will be set as this
  • 18:48 - 18:55
    impureGetter delegate. The problem will be
    next slide - so we just parse two
  • 18:55 - 18:59
    arguments and call a setDelegate. The
    setDelegate called set which finally
  • 18:59 - 19:05
    called setEarlyValue. Here is a problem,
    because there is no real check that the
  • 19:05 - 19:11
    object type passed to
    setImpureGetterDelegate is really
  • 19:11 - 19:16
    ImpureGetter. So this means that if any
    other object type will be passed, it will
  • 19:16 - 19:21
    be improperly downcasted as ImpureGetter
    pointer. That's what happened here. So
  • 19:21 - 19:28
    it's a bad cast that have no real check
    for object type and which lead that we can
  • 19:28 - 19:33
    overwrite on those object fields. Here are
    the same function, but now decompiled in IDA
  • 19:33 - 19:40
    Pro. So in our case ImpureGetter is a base
    variable here and the delegate is this
  • 19:40 - 19:46
    generic JS object. We see that the
    pointer, which is base plus 16, can be
  • 19:46 - 19:51
    overridden with a pointer to a delegate.
    Which lead - you see on the right
  • 19:51 - 19:56
    JSArrayBufferView class - if I pass
    JSArrayBufferView class as a first
  • 19:56 - 20:02
    argument, the m_vector field will be
    overwritten with a pointer to a delegate.
  • 20:02 - 20:10
    Which is really bad, because it can lead
    to readable, writeable primitives. To
  • 20:10 - 20:14
    exploit that Pegasus uses two dataviews. I
    will call them dataview one and dataview
  • 20:14 - 20:21
    two. And to call and
    setImpureGetterDelegate on both, which
  • 20:21 - 20:25
    leads it m_vector field in the first
    dataview will be overwritten with the
  • 20:25 - 20:31
    pointer for the second dataview. And now
    by setting and reading the values on the
  • 20:31 - 20:36
    first dataview we can override object
    fields in the second. While we need it, we
  • 20:36 - 20:42
    can map the second dataview as entire
    process memory by overwriting the second
  • 20:42 - 20:47
    dataview arraybuffer offset to be zero by
    overwriting the second dataview length to
  • 20:47 - 20:52
    be four gigabytes in a case of 32 bit
    process and set type as fast array type.
  • 20:52 - 20:57
    So basically the second dataview now is
    mapped to the entire process space and we
  • 20:57 - 21:05
    can getint, setint to get arbitrary read
    and write anywhere in the process memory.
  • 21:05 - 21:10
    The same thing can be used even to get
    execution primitive. But in this case, we
  • 21:10 - 21:16
    can call setImpureGetterDelegate twice and
    instead of exposing the entire process
  • 21:16 - 21:21
    memory, we can leak just an object
    address. If you can leak an object
  • 21:21 - 21:27
    address, we can produce a function that
    have like hundreds of try - empty try-
  • 21:27 - 21:33
    catch constructions and force JIT to
    compile it. And in a - in this process, a
  • 21:33 - 21:39
    special, readable, writeable, executable
    memory segment will be allocated. We can
  • 21:39 - 21:45
    leak address of this JIT segment,
    overwrite it with a shellcode and execute.
  • 21:45 - 21:52
    So this is how the bad cast can be used to
    like re-exploit even a kernel on each
  • 21:52 - 21:58
    boot. It is used with a persistence
    mechanism which is rtbuddyd. So the
  • 21:58 - 22:04
    problem is that System spawning rtbuddyd
    service with a special early-boot
  • 22:04 - 22:10
    argument. This mean if you take any other
    binary signed by Apple and name it as
  • 22:10 - 22:15
    rbuddyd, it will be spawned on a boot.
    That is what the Pegasus is doing. So they
  • 22:15 - 22:21
    take JSC binary which is signed by Apple,
    name it as rtbuddyd, then take a
  • 22:21 - 22:27
    JavaScript that contain exploit. Make it a
    sym link, call it early-boot which leads
  • 22:27 - 22:32
    to when the rtbuddyd will be spawned it
    with early-boot it will call JSC with the
  • 22:32 - 22:37
    js-exploit instead. So with this trick and
    the bad cast it re-exploits kernel on
  • 22:37 - 22:46
    each device boot. There is some tricks
    the Pegasus use to make it harder to
  • 22:46 - 22:52
    reverse engineer, like use one time links.
    So after you click on any of the link
  • 22:52 - 22:57
    they'll be invalidated and now redirect to
    Google or other sites. It re-encrypts all
  • 22:57 - 23:03
    the payloads each time they are downloaded
    just on the fly. And of course, they are
  • 23:03 - 23:10
    trying to hide itself to make it look like
    a system component. Um, of course, it
  • 23:10 - 23:15
    blocks iOS system updates to make sure you
    can't - you cannot batch your device just
  • 23:15 - 23:23
    on the fly, to clear all the evidence:
    clear Safari history and caches and we
  • 23:23 - 23:30
    found a self-destruct mechanism that can
    be triggered remotely or on a time out. So
  • 23:30 - 23:36
    in addition to this terrifying list of
    supported applications, it records any
  • 23:36 - 23:41
    microphone usage, any camera usage, GPS,
    location, keychain passwords, even
  • 23:41 - 23:47
    including the Wi-Fi and the router one.
    Why they need router - I don't know.
  • 23:47 - 23:51
    Application hooking. So how how it
    operates. As I mentioned earlier, it use
  • 23:51 - 23:57
    Cydia substrate and with the help of Cydia
    substrate it preloads dynamic libraries
  • 23:57 - 24:05
    into application process and intercept
    some critical functions. It uses Cynject
  • 24:05 - 24:11
    to run into already - into already running
    processes. So this is like a high level
  • 24:11 - 24:18
    picture of how it looks like. So all the
    application level critical functions and
  • 24:18 - 24:22
    the framework level critical functions are
    intercepted by Pegasus. So now Pegasus can
  • 24:22 - 24:28
    control them, can collect them, can back
    them, can send Command & Control and so
  • 24:28 - 24:36
    on. To summarize, Pegasus is a remote
    jailbreak spotted in the wild. It's pretty
  • 24:36 - 24:42
    scary because it doesn't require any user
    interaction. And the last similar thing
  • 24:42 - 24:48
    was like five years ago when the comex
    released his jailbreakme 3. This year Luca
  • 24:48 - 24:53
    Todesco used one of the Trident
    vulnerabilities for his jailbreaking.
  • 24:54 - 25:00
    I want to say a special thanks to Citizen
    Lab for helping out with achieving a
  • 25:00 - 25:05
    Pegasus sample. All the Lookout research &
    response team, the Divergent security guys
  • 25:05 - 25:11
    and all the individual researchers who was
    involved in the research. So last some
  • 25:11 - 25:17
    useful links which contain a 44 page PDF
    report with a really, really deep details
  • 25:17 - 25:24
    on the vulnerabilities that is used even
    with the difference between 32 and 64 bit
  • 25:24 - 25:31
    ones. So if you're interested in. Please
    take a look. I think this is it do you
  • 25:31 - 25:33
    guys have any questions?
  • 25:33 - 25:42
    applause
  • 25:45 - 25:48
    M: Mm hmm.
    H: OK, please keep it brief. We only have
  • 25:48 - 25:50
    some minutes left for the questions, and
    if there are any questions, please go to
  • 25:50 - 25:57
    the microphones in the hall. And we start
    with the Signal Angel from the Internet.
  • 25:57 - 26:04
    SA: Thank you. Is there any way to build
    your app, protect it from this exploit?
  • 26:04 - 26:13
    M: Yes, it is, because the Pegasus use
    some of the known jailbreak techniques it
  • 26:13 - 26:18
    is possible to detect for example that
    system partition is remounted as readable
  • 26:18 - 26:24
    & writable. It could be one of the
    indicators that some generic jailbreak is
  • 26:24 - 26:30
    running on a device. Or like check for
    especially file that Pegasus use but like
  • 26:30 - 26:34
    better check it in general for jailbreak
    pages, the kernel pages.
  • 26:34 - 26:38
    audience shuffling noise
    H: Please try to stay a bit quiet. We are
  • 26:38 - 26:40
    still in the middle of the Q & A. If you
    don't have to leave now, please stay
  • 26:40 - 26:47
    seated until afterwards and if you have to
    leave now, please do not talk. Microphone
  • 26:47 - 26:50
    three, please.
    M3: What's the user experience during
  • 26:50 - 26:53
    this?
    M: User experience, I mean - you mean -
  • 26:53 - 26:59
    you mean when you get a device infected by
    Pegasus? Well, there is it's scary there
  • 26:59 - 27:07
    is no real indicators on a device that you
    get something. That you click on the link,
  • 27:07 - 27:13
    the mobile web browser opens and just
    closes and crashes. There is no new
  • 27:13 - 27:19
    applications spotted on your on visible
    applications and so on. But in a real it's
  • 27:19 - 27:26
    running like three new system services,
    but they are not visible to a user.
  • 27:26 - 27:29
    H: Thank you. And please, another question
    from the Internet.
  • 27:29 - 27:33
    SA: Thank you. Have you any idea how
    active this exploit is in the world?
  • 27:33 - 27:40
    M: Say it again please?
    SA: Have you any idea how active this
  • 27:40 - 27:47
    exploit is in the wild?
    M: I'm sure it was a very targeted attack
  • 27:47 - 27:52
    because, uh, these exploits are pretty
    expensive. For example, uh, Zerodium now
  • 27:52 - 28:00
    pays 1,5 million for remote jailbreaks
    like these so I don't think that actors of
  • 28:00 - 28:07
    this like spyware, want to like - want to
    deal malware accessible for everyone. So I
  • 28:07 - 28:12
    think it's a very very targeted attacks.
    It is hard to predict how many devices was
  • 28:12 - 28:20
    infected by Pegasus. Now we know about the
    Mansoor one. So, again, I think it's very,
  • 28:20 - 28:22
    very targeted thing because it's very
    expensive.
  • 28:22 - 28:27
    H: Thank you for this answer. Microphone
    number five, please.
  • 28:27 - 28:33
    M5: Do you have any more information on
    the NSO or the group that's behind it? Are
  • 28:33 - 28:39
    they using any other software? And how
    spread is this in the wild again?
  • 28:39 - 28:43
    M: Yeah. So in this case, we focused
    mostly on the technicalities of the
  • 28:43 - 28:50
    Pegasus itself, but Citizen Lab made their
    investigation on NSO and the like the
  • 28:50 - 28:57
    NSO is like cyber arms dealer. So please
    take a look about in a Citizen Lab report
  • 28:57 - 29:00
    on that. So they have much more
    information.
  • 29:02 - 29:08
    H: Do we have a question from the
    Internet? Am I overlooking anyone? No,
  • 29:08 - 29:10
    then this is it, thank you for your talk.
  • 29:10 - 29:14
    applause
  • 29:15 - 29:25
    postroll music
  • 29:25 - 29:38
    Subtitles created by c3subtitles.de
    in the year 2022. Join, and help us!
  • 29:38 - 29:39
    [Translated by {Iikka}{Yli-Kuivila}
    (ITKST56 course assignment at JYU.FI)]
Title:
Pegasus internals (33c3)
Description:

more » « less
Video Language:
English
Duration:
29:39
Iikka Yli-Kuivila edited English subtitles for Pegasus internals (33c3)
Iikka Yli-Kuivila edited English subtitles for Pegasus internals (33c3)
Iikka Yli-Kuivila edited English subtitles for Pegasus internals (33c3)
Iikka Yli-Kuivila edited English subtitles for Pegasus internals (33c3)
Iikka Yli-Kuivila edited English subtitles for Pegasus internals (33c3)
Iikka Yli-Kuivila edited English subtitles for Pegasus internals (33c3)
Iikka Yli-Kuivila edited English subtitles for Pegasus internals (33c3)
Iikka Yli-Kuivila edited English subtitles for Pegasus internals (33c3)
Show all

English subtitles

Revisions