Microsoft thinks the recent discovery of the Trident malware for iPhones should be a wake-up call for the enterprise to stop unquestioningly trusting Apple’s ability to protect corporate secrets.
Microsoft corporate vice president enterprise and client mobility Brad Anderson argues the case for reconsidering trust in Apple in a blogpost entitled ‘What we can learn from the Trident/Pegasus iOS vulnerability’.
The Trident malware was discovered in August by researchers at mobile security firm Lookout and Canadian rights group Citizen Lab, prompting Apple to issue an emergency security update.
The malware, which used three previously-unpatched iOS vulnerabilities, was developed by Israeli-founded pen-testing vendor NSO Group and sold as a surveillance product called Pegasus. It was used by a government in the Middle East to target human rights activists.
Lookout called it the “the most sophisticated attack we’ve seen on any endpoint”. As Anderson notes, NSO Group had deep pockets, having been acquired in 2010 by US VC fund Francisco Partners Management for over $100m.
NSO Group sold Pegasus for $8m for 300 licenses, with the price indicating it would have been reserved for high-value targets, such as political dissidents or senior execs from top firms.
With well-resourced opponents such as these operating in the open, organizations need to stop blindly trusting Apple’s ability to keep their iOS devices secure, according to Anderson.
“Over the last two years, I’ve had senior executives tell me countless times that they have unwavering implicit trust in the iOS platform. In these discussions it’s been pretty common to hear a comment like, ‘I don’t trust Android because it is like the wild, wild west, but I have tremendous trust in iOS because it is a controlled and procured ecosystem’,” he writes.
“I’m not attempting to throw stones at Android or iOS but there is a dilemma with this perspective: I know for a fact that all the providers of mobile operating systems go to superhuman lengths to harden their platforms and do everything they can deliver the most secure operating system possible but this fact also exists in our modern era of digital threats that produce consistent successful attacks despite the incredible efforts of the organizations building these platforms.”
Of course, while Microsoft has all but bowed out of smartphone hardware, it is still focusing on enterprise mobility via Intune, its mobile-device management product, which it recently partnered on with mobile security firm Lookout for malware protection.
The other lesson Anderson draws from Trident/Pegasus is that it highlights the commercialization of cyberattacks, which makes it easier for opponents to exploit weaknesses in mobile devices.
For example, attackers that don’t have the skills to compromise your systems can simply rent them from NSO Group or numerous other firms in the business of developing, selling and brokering so-called zero-day exploits.
“This is the very scary fruition of something that cybersecurity experts have been heavily emphasizing for the past few years. The work behind corporate hacks, online theft, cyber espionage, and cyber-terrorism is a commercial business and not only an underground effort,” Anderson writes.
“If you, as an organization, have intellectual property that is of interest to another company or a state organization, that company does not have to have the expertise to build a sophisticated attack like this, they just have to have the money to buy a license.”