Lookout Endpoint Security
Endpoint Security

September 2, 2016

min read

MDM Solutions Don’t Deliver Sufficient Protection Against Pegasus

Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we've received many clarifying questions from security professionals. In this series we're answering the top queries we've received to help you better understand the facts around this unprecedented mobile threat.

Today’s question: Why can’t my MDM protect my organization from Pegasus?

A Mobile Device Management (MDM) solution is not by itself a sufficient protection against advanced, targeted threats like the Pegasus spyware.

No existing jailbreak detection technology would have caught this threat before Lookout and Citizen Lab uncovered the techniques. This is because MDMs can only detect known jailbreak techniques and Pegasus used advanced exploits of previously unknown (zero-day) vulnerabilities to jailbreak the device.

Now that these advanced techniques are publicly known, we have not observed any MDM technology that is currently able to detect them.

Jailbreak detection on MDMs is based on known techniques

Get an in-depth walk-through of this attack in this webinar of Lookout Vice President of Security Research Mike Murray.

A mobile device management vendor must know how a jailbreak works in order to create detection for that jailbreak. This is because jailbreak techniques change every time a new one is released as old vulnerabilities used to jailbreak the device are closed. The Trident vulnerabilities were “zero-days,” or otherwise unknown before Lookout and Citizen Lab reported them to Apple. The Pegasus jailbreak techniques were unknown to the entire world, including MDM vendors, until uncovered by Lookout and Citizen Lab.

In a case like a zero-day attack, MDMs will only be able to write detection heuristics after the attack has already been publicized.

Why Lookout is the right partner

Going forward, Lookout is best positioned to track and protect against this kind of targeted threats like Pegasus because we are a mobile-focused security company with the right partnerships, technology, and people to focus on this problem.

The real takeaway from our Pegasus/Trident findings is that enterprises now need a Mobile Threat Defense solution to protect mobile devices that could be used to spy on executives or exfiltrate sensitive corporate data beyond what an MDM can deliver.

Here’s why Lookout is the right partner to protect your organization’s mobile endpoints:

  1. Lookout’s unique approach to jailbreak detection relies on looking for firmware anomalies, not just known techniques.
  2. Lookout also has the right partnerships and connections to find threats like Pegasus and work with the appropriate parties, such as Apple in the case of the Trident vulnerabilities, to stop new infections and keep your corporate data safe.
  3. Lookout’s analysis occurs in the cloud, not on the device. This is why Lookout was able to protect its enterprise customers without requiring a client-side update, unlike an MDM.
  4. The organization behind Pegasus will work hard to avoid all jailbreak detection methodologies in the future, and Lookout, with telemetry from 100 million mobile devices, has the most insight about advanced mobile threats globally.

Get even more information on our official Pegasus and Trident page.

Think your device has been impacted by Pegasus? Contact us.