iPhone Users advised to update immediately

[Chicog]

Apple Releases Critical iOS Update After Unprecedented ‘Pegasus’ Spying Software Discovered

‘All iOS users should update immediately.’

 26/08/2016 08:59

•  
•  
•  
•  
•  

 

Thomas Tamblyn  Technology editor, Huffington Post UK

ANADOLU AGENCY VIA GETTY IMAGES

It’s the stuff of a spy movie or video game: A shady government agency simply clicks a button and immediately has access to everything on your phone.

Well that fiction just became a reality as security researchers at Lookout today announced that they had discovered a powerful piece of software that was capable of hacking any iPhone on the planet and without them knowing, spy on their Gmail, Facebook, Skype, WhatsApp and more.

It’s called “Pegasus” and was developed by an Israeli intelligence agency that specialises in what it calls “cyber war”.

While Lookout are understandably cautious about sharing the precise nature of how the program works, they do reveal that the attack is initiated through an SMS. From there the malware is delivered and the iPhone is “jailbroken” effectively unlocking its contents to the attacker.

Lookout’s Mike Murray said: “Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile.”

Before you start worrying that you might have been hacked, Murray does have some words which could be reassuring, to some of us at least.

“The going price for Pegasus was roughly $8 million for 300 licenses,” explains Murray “so it’s not likely to be used against an average mobile device user, only targets that can be considered of high value.”

Apple and Lookout worked together on a fix for Pegasus and the technology giant has issued iOS 9.3.5 which can be downloaded now.

Lookout unsurprisingly suggests that “all iOS users should update immediately.”

How To Update Your iOS Software

If you’re wondering how to update the iOS software on your iPhone or iPad the process is relatively simple.

Simply follow these actions:

• Tap on Settings
• General
• Software Update
• Then tap on Download and Install

For the software to update we recommend that you have your iPhone or iPad plugged into a charger and that it has a strong connection to WiFi.

More:

 Apple Online Privacy Hacking Cybercrime

[wpcoe]

I decided to check for available updates via Settings > General > Software Update and find iOS9.3.5, but "Download and install" is greyed out, saying a WiFi network is required to install.  I'm away from home and using the 10GB monthly allowance on my AIS 4G account.  Why does Apple deem cellular data to be unworthy?  If it's a concern about using data allocation on a 3G/4G account, why not simply alert me and ask if I want to continue?

[Chicog]

I'm not an iPhone user, but Android has a setting that says "Wifi only" or "Wifi+3G/4G".

Maybe iOS has something similar?

Edited August 26, 2016 by Chicog

[ClutchClark]

2 hours ago, wpcoe said:

I decided to check for available updates via Settings > General > Software Update and find iOS9.3.5, but "Download and install" is greyed out, saying a WiFi network is required to install.  I'm away from home and using the 10GB monthly allowance on my AIS 4G account.  Why does Apple deem cellular data to be unworthy?  If it's a concern about using data allocation on a 3G/4G account, why not simply alert me and ask if I want to continue?

 

Your hotel does not have wi-fi?

 

Coffee shops have wi-fi.

 

But the risk of this is quite low and could wait until you get home.

[wpcoe]

I'm not in a hotel.  I'm in a condo unit I own, but is currently unoccupied.  I've got ample data downloading available on my AIS package.  The OP subtitle "All iOS users should update immediately" motivated me to try to update ASAP.  

 

My distaste for iOS (much like Windows) deciding what is best for me remains.

 

Guess I should take a moto-sai to the main road & then a baht bus into town just to update iOS using an unsecured coffee shop WiFi.  

[Speedo1968]

I have a basic phone - phone calls only.

I use a laptop.

I have Apple on my laptop for music but no updates available except for iCloud, which I don't use.

I have checked Skype - no updates available.

 

As I am not well up on these issues for Apple / Skype ( though do do updates ) do i need to worry about this new threat ( I am thinking about Skype as I use regularly ) ???

[ClutchClark]

20 minutes ago, Speedo1968 said:

I have a basic phone - phone calls only.

I use a laptop.

I have Apple on my laptop for music but no updates available except for iCloud, which I don't use.

I have checked Skype - no updates available.

 

As I am not well up on these issues for Apple / Skype ( though do do updates ) do i need to worry about this new threat ( I am thinking about Skype as I use regularly ) ???

 

As long as you are not accepting skype messages from strangers you are fine for eternity. 

 

 

[Speedo1968]

3 hours ago, ClutchClark said:

 

As long as you are not accepting skype messages from strangers you are fine for eternity. 

 

 

 

Thanks ClutchClark

[Chicog]

4 hours ago, ClutchClark said:

 

As long as you are not accepting skype messages from strangers you are fine for eternity. 

 

 

 

Brilliant advice, considering it is delivered silently via SMS and it is deemed a critical vulnerabilty.

 

The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.
 

 

 

[Chicog]

5 hours ago, Speedo1968 said:

I have a basic phone - phone calls only.

I use a laptop.

I have Apple on my laptop for music but no updates available except for iCloud, which I don't use.

I have checked Skype - no updates available.

 

As I am not well up on these issues for Apple / Skype ( though do do updates ) do i need to worry about this new threat ( I am thinking about Skype as I use regularly ) ???

 

This is an update for iOS not OSX.

So it doesn't affect Macs or iTunes.

 

 

[Chicog]

5 hours ago, wpcoe said:

I'm not in a hotel.  I'm in a condo unit I own, but is currently unoccupied.  I've got ample data downloading available on my AIS package.  The OP subtitle "All iOS users should update immediately" motivated me to try to update ASAP.  

 

My distaste for iOS (much like Windows) deciding what is best for me remains.

 

Guess I should take a moto-sai to the main road & then a baht bus into town just to update iOS using an unsecured coffee shop WiFi.  

 

The ironic thing is that if you have cellurar data, then you are vulnerable to the exploit.

It seems you can turn on cellular data for downloads, but not iOS updates like this.

 

 

[ClutchClark]

7 minutes ago, Chicog said:

 

Brilliant advice, considering it is delivered silently via SMS and it is deemed a critical vulnerabilty.

 

The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.
 

 

 

 

Oh.  Well in taht case belay my last ;-)

 

Would the sms text message be corded as received in the log?

[ClutchClark]

Oh.  Well in that case belay my last ;-)

 

Would the sms text message be recorded as received in the log?

 

One article indicated that Mansoor received two suspicious text messages which he did not recognize and did not open. It further states that IF he had opened them then he would have become infected

[wpcoe]

19 minutes ago, Chicog said:

 

The ironic thing is that if you have cellurar data, then you are vulnerable to the exploit.

It seems you can turn on cellular data for downloads, but not iOS updates like this.

 

 

 

Apparently.  Under Settings > Cellular > Use Cellular Data For, Settings is "on."  I don't see any other place to enable cell data for iOS updates.  I only recently returned to the world of iPhones, so I'm just getting re-acquainted with iOS and there may be someplace else to check?

[jonw8uk]

12 minutes ago, Chicog said:

 

Brilliant advice, considering it is delivered silently via SMS and it is deemed a critical vulnerabilty.

 

The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.
 

 

 

 It also costs 8 million dollars for 300 licenses.....

 

I seriously doubt anyone on TV, or for that matter anyone in Thailand would be a target

 

Of course i will update, but im not rushing nor worrying about it. 

[JHolmesJr]

I hope this is not another pathetic attempt to get me to update my iOS.

 

I am on iOS 9 and so far see no reason to update…i don't ever open sms from numbers I don't recognise….

[ClutchClark]

40 minutes ago, Chicog said:

 

Brilliant advice, considering it is delivered silently via SMS and it is deemed a critical vulnerabilty.

 

The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.
 

 

 

 

Could this be the day I finally hear Chicog grumble the words, "I was possibly mistaken"?

 

all of my research indicates an iphone user has to open a file in a text message in order to become infected.

 

• CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.

http://www.imore.com/apple-has-patched-pegasus-malware-heres-what-you-need-know

I am getting to be an old man, Chicog, and I won't be alive forever. Besides, with senility advancing, I run the risk daily of saying something offensive and hanging up the keyboard for good. (To the tune of Dylan, "Take this badge off of me")

Oh Lord, please let this be the time that I have one-upped Chicog. 

[Chicog]

That's never going to happen.

 

That's just one of the CVE's this fixes, there are three of them which work together.

 

Quote

iOS 9.3.5

Released August 25, 2016

Kernel

Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later

Impact: An application may be able to disclose kernel memory

Description: A validation issue was addressed through improved input sanitization.

CVE-2016-4655: Citizen Lab and Lookout 

Kernel

Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4656: Citizen Lab and Lookout

WebKit

Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later

Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4657: Citizen Lab and Lookout

 

However, you are right that it requires the user to click a link in an SMS.

 

Quote

Lookout collectively calls the three zero-day vulnerabilities Trident, and warned that they could allow personal data to be accessed after opening a link sent in a text message.

 

Edited August 27, 2016 by Chicog

[JHolmesJr]

2 hours ago, Chicog said:

However, you are right that it requires the user to click a link in an SMS.

 

Righto…..and only morons do that….when it's from a number they don't recognise.

 

I don't even do it from numbers I do.

[Chicog]

2 hours ago, JHolmesJr said:

 

Righto…..and only morons do that….when it's from a number they don't recognise.

 

I don't even do it from numbers I do.

 

The sensible thing to do.

I've have seen some very carefully crafted Phishing and Smishing messages in my time.

 

[rhythmworx]

The surveillance software is called siri?

[JetsetBkk]

On Saturday, August 27, 2016 at 3:38 PM, ClutchClark said:

Could this be the day I finally hear Chicog grumble the words, "I was possibly mistaken"?

Oh Lord, please let this be the time that I have one-upped Chicog.

 

You did. 

 

On Saturday, August 27, 2016 at 5:38 PM, Chicog said:

However, you are right that it requires the user to click a link in an SMS.