Lookout Life
Threat Intelligence

September 2, 2016

min read

Encryption and VPNs Alone Do Not Protect You From Pegasus/Trident

Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we've received many clarifying questions from security professionals. In this series we're answering the top queries we've received to help you better understand the facts around this unprecedented mobile threat.

Today’s question: Why can’t encryption or VPNs stop this threat?

Encryption and VPNs are excellent tools that protect sensitive data in most situations. Given the extreme sophistication of the Pegasus attack, however, these tools won’t actually protect data in this scenario.

Intercepting data with function hooking

Pegasus has kernel level access to the device. This means the spyware sits in the path of all communication and information that is exchanged and intercepts it at the point at which it is decrypted. It does this using “function hooking” to alter the legitimate app itself and intercept the decrypted communications.

Pegasus can replace calls to functions used by the VPN software, the phone, Whatsapp, Skype, and others. It also intercepts information before it is encrypted or after it is decrypted, as shown in the diagram below:

Lookout has already documented live instances where this threat has stolen information from end-to-end encrypted applications.

Function hooking has legitimate uses in software development. It allows a developer to change the way the app reacts when certain events happen or behave differently. For example, an app developer may use function hooking to detect when an app is going to crash due to a bug and log the event so the developer can fix the issue.

In the case of Pegasus, function hooking instead allows the attacker to intercept encrypted and decrypted communications and information.

Hooking real apps, not spoofed ones

Get an in-depth walk-through of this attack in this webinar of Lookout Vice President of Security Research Mike Murray. Pegasus uses three vulnerabilities in iOS, called “Trident,” to infect the device. Part of the process includes jailbreaking the phone and gaining this kernel level access. In the process of jailbreaking and infecting the device, Pegasus does not replace the existing apps with fake ones — it compromises legitimate versions of these apps. For example, it does not replace the existing Gmail app with a trojanized, spoofed version; it targets and intercepts communication from the legitimate Gmail app.

CIOs and CISOs should not rely on VPNs or encryption to address this threat, but instead need a security solution to detect Pegasus infections and immediately quarantine those devices.

Unfortunately, the organization has a much bigger problem if there are Pegasus detections on employee devices. It means that the enterprise is being targeted for corporate espionage or other motive. CIOs and CISOs need visibility into where Pegasus infections exist and protection against future infections.

Check out the, “3 things CISOs need to know about the Trident iOS vulnerabilities” to learn more about actions you can take today.

Get even more information on our official Pegasus and Trident page.

Think your device has been impacted by Pegasus? Contact us.