Vulnerability
Threat Summary
iOS
Lookout
November 2, 2016

Trident Vulnerabilities: All the Technical Details in One Place

Statue of man holding trident in his hand.

Today, Lookout is releasing the technical details behind “Trident,” a series of iOS vulnerabilities that allow an attacker to remotely jailbreak a target user’s device and install spyware. In August, Lookout, in conjunction with Citizen Lab, discovered “Pegasus,” a sophisticated piece of mobile spyware used by nation state actors to surveil high-value targets. The so-called “cyber arms dealer,” NSO Group created the spyware, which, at the time, relied on the three Trident vulnerabilities to remotely and silently compromise a device. Lookout and Citizen Lab worked directly with Apple to close the holes and cripple this attack vector used by Pegasus for the compromise.

In the process, Lookout and Citizen Lab also identified a related vulnerability Mac OS, which Apple quickly patched as well.

Below you can find the full technical details behind the vulnerabilities. Want more background on the Pegasus malware? Microsoft noted in a blog, “Many security firms described it as the most sophisticated attack they’ve seen on any endpoint.” Check out our coverage of the Pegasus attack and Trident vulnerabilities, including our original technical report and analysis for CSOs and CIOs.

The technical report covers the following:

  1. CVE-2016-4657: Memory Corruption in WebKit - A vulnerability in Safari WebKit allows the attacker to compromise the device when the user clicks on a link.
  2. CVE-2016-4655: Kernel Information Leak - A kernel base mapping vulnerability that leaks information to the attacker that allows him to calculate the kernel’s location in memory.
  3. CVE-2016-4656: Kernel Memory corruption leads to Jailbreak - 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
  4. The Pegasus Persistence Mechanism used for remaining on the device after compromise.
GET THE REPORT

Special thanks to Max Bazaliy, Cris Neckar, Greg Sinclair, in7egral, and the Lookout Security Research team for their work and research into these vulnerabilities.

Want to learn more about the attacks and find out what this means for your company? Contact us.

Interested in working for Lookout? Check out our careers page here.

Authors

Lookout

Cloud & Endpoint Security

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.

Threat Type
Vulnerability
Entry Type
Threat Summary
Platform(s) Affected
iOS
Discovered By
Lookout
Platform(s) Affected
Vulnerability
Threat Summary
iOS
Lookout

Related Content

CVE-2025-31200-31201 Update

CISA recently added guidance to CVE-2025-31200, a memory corruption issue, and CVE-2025-31201, an arbitrary read and write issue.

Read Threat Article

CVE-2025-24201 on iOS

CISA recently provided guidance for CVE-2025-24201, an out-of-bounds write issue in WebKit. There has been evidence of active exploitation of this CVE.

Read Threat Article

Vulnerability Affecting Apple devices

CISA recently added guidance to CVE-2025-24085, a use-after-free issue, which affects Apple devices running on visionOS, iOS, iPadOS, macOS, tvOS, and watchOS.

Read Threat Article

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell