Lookout Security Research & Response Team
Photo Gallery
Lookout Security Research & Response Team
Additional Info
Job title of nominated professional (or team name) | Max Bazaliy, Andrew Blaich, Kristy Edwards, Michael Flossman, Seth Hardy, Staff Security Researchers; Mike Murray, VP of Security Research |
Company (where nominated professional or team is working) | Lookout |
Website | Lookout.com |
Company size (employees) | 300 |
Country | United States |
Overview
In August 2015, the Lookout Research and Response team, with its research partner Citizen Lab, uncovered the first active mobile threat that completely compromises an iOS device with just one click. Called Pegasus, this is a piece of spyware, using three critical iOS zero-day vulnerabilities that, when exploited, form an attack chain that subverts even Apple’s strong security environment. We call these vulnerabilities “Trident.” Our two organizations worked directly with Apple’s security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.
Pegasus, which according to an investigation by Citizen Lab, is developed by an organization called NSO Group, is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile. It is modular to allow for customization and uses strong encryption to evade detection.
In this case, the Lookout research team uncovered that the software is highly configurable: depending on the country of use and feature sets purchased by the user, the spyware capabilities include accessing messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and others. The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete.
The Lookout research team believes that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code (e.g., a kernel mapping table that has values all the way back to iOS 7). It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry.
Accomplishments
- The Lookout Research and Response team, with its research collaboration with Citizen’s Lab, uncovered the first active mobile threat that completely compromises an iOS device with just one click.
- The two organizations worked directly with Apple’s security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch. The team, some of whom have been doing security research for two decades, have never seen a software vendor respond so quickly.
- Uncovering this attack shows us that highly resourced actors see the mobile platform as a fertile target for gathering information about targets, particularly high risk groups like activists, and regularly exploit the mobile environment for this purpose.