Despite increased awareness about cyberattacks, the volume of their occurrence worldwide is continuing to increase. James Plouffe, lead architect at MobileIron, recently remarked that enterprises seem unwilling to protect themselves from the real threat of cyberattacks, including malware, calling corporations “alarmingly complacent” on the matter. Plouffe’s words were almost prophetic, as he spoke them less than a month before a very real malware attack stole the spotlight on the world stage.
On August 24th, Citizen Lab published findings about powerful spyware created by the private Israel-based cyber arms dealer NSO Group. The researchers discovered that the spyware was able to “jailbreak” iOS devices and penetrate three vulnerabilities. The spyware could then send information back to whoever requested it. That information included contact information, private emails, calendar details, keystrokes, and even audio and video feeds.
The spyware was discovered when renowned human rights advocate Ahmed Mansoor received strange text messages on his iPhone 6. Mansoor is no stranger to spyware; he was previously the victim of espionage via smartphone hacking in 2011 and 2012. What Citizen Lab learned was that the spyware targeting Mansoor had larger ramifications for other iOS users. The ability to jailbreak phones remotely and then access their activities is a scary thought, for both corporations protecting valuable data and consumers who don’t want their smartphone activities tracked.
Apple’s Swift Response
When the spyware was discovered, Apple took quick action to mitigate the threat. The “Pegasus” spyware was eradicated with the iOS 9.3.5 “Trident” update on August 25 but the public relations damage was already done. Customers with iOS devices demanded to know, rightfully, if their own information was compromised. While the full scope of the Pegasus spyware may never see the public light, its mere existence brings up some very important questions.
How safe are our smartphones? What loopholes are there in smartphone security that make our business and personal information vulnerable? How can we safeguard our mobile devices and information?
What Companies Should Know
This attack on iOS vulnerabilities should awaken businesses to the very real threat of cyberattacks. This particular case involved political information, but Advanced Persistent Threats (also called APTs) are exploits launched against corporations to gain information like customer data. One of the most common ways this information is accessed is through SMS phishing. The spyware is delivered through fake numbers and anonymous domains and then immediately begins stealing user information.
As spyware technology evolves, corporations need change how they defend their information. This means not just trusting in companies like Apple to protect mobile information. Corporations should implement strong anti-spyware strategies that start with employee training on suspicious activities and extend to technology like encryption.
The Pegasus controversy is just the latest headline-grabbing example of the power of spyware and how it operates without users’ knowledge. Not every person is a government target for spying, but everyone has sensitive information they don’t want subject to exploitation. In the case of corporations, even entry-level employees can prove vulnerable to attack if they have access to sensitive information.