Steve Gibson devoted his technical segment in Security Now #575 to the recent Trident vulnerabilities as well as the associated malware in use in narrowly targeted iPhone espionage, as first publicized by Lookout. The topic was covered in almost every podcast this week (Defensive Security, DtSR, Paul’s Security Weekly, SANS, and even Tech News Today and Wall Street Journal Tech). Security Now really makes the effort to talk in accurate technical detail, even when the feeling for the overall impact is completely off base. But I found this description disappointing. Both Steve and Leo seemed overly focused and amazed at how polished and professional this exploit chain and malware were. By expression complete shock at this kind of thing, it builds the perception that this is very one of a kind, and adds to the picture of hacks as nerds in their mother’s basement. Anyone who has the opinion should listen to the Down the Security Rabbit Hole interview about the ransomware economy. (DtSR, on the other hand, took the complete other end of the spectrum, asking why anyone would care about this, and implying that it’s just another 0-day. That’s probably a bit too far, as iOS 0-days are rare, and finding 3 packaged together in use in the wild even more rare… but probably closer to the correct attitude than shear amazement.)
The real inspiration for this post was Steve’s lumping together exploit development, delivery, exploitation itself, and the malware as if it is a thing, rather than a set of building blocks. Yes, that is the malware deployed with these exploits this time. But there’s no reason the someone else (or even the same actor) couldn’t use that same exploit to send completely different malware. An exploit is something that causes a device to do something other than what the user / developed intended to be allowed, typically resulting in something like code execution or privilege escalation. What is deployed afterwards uses that execution to do something, ie, the malware. Steve lumps Trident (three vulnerabilities that lead to execution as a privileged process) and Pegasus together as if they are the same thing, despite the fact that Lookout does a very good job keeping them separate in their initial blog post. And while Lookout gives Pegasus the title of most sophisticated malware for any endpoint, it doesn’t do anything that hasn’t been seen in other malware before. Malware development is a coding problem. It’s the exploits that are amazing.