safe_share_padlock“But when Perseus had cut off the head of Medousa (Medusa) there sprang from her blood stout-hearted Khrysaor (Chrysaor) and the horse Pegasos so named from the springs (pegai) of Okeanos (Oceanus), where he was born.”
– Hesiod, Theogony 280 ff (trans. Evelyn-White) (Greek epic C8th or C7th B.C.)

The famous winged horse Pegasus, thundering stallion of Zeus, is a transcendent figure in Greek mythology.  What may be slightly less known is that Pegasus was commemorated as the constellation of stars bearing the same name. Its rising marks the arrival of spring and, in Greece, of seasonal thunderstorms. Thus, it is ironic that Pegasus is now raining on Apple’s parade.

Apple users have long felt, with some justification, that their Apple products, and particularly their iPhones, were safer than alternative products. But a recent attack had laid bare Apple’s vulnerabilities and jolted the Apple community. According to a report by Lookout, a San Francisco based security company that participated in discovering and addressing the Pegasus exploit, “This Pegasus is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation, and encryption. It uses sophisticated function hooking to subvert OS- and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others. It steals the victim’s contact list and GPS location, as well as personal, Wi-Fi, and router passwords stored on the device.”

Mike Murray, research lead at Lookout, was quoted in Fortune as saying “This changes mobile. For the first time, iOS is vulnerable—people can no longer rely on ‘Apple will protect me.’” Fortune reports “He added that Pegasus is notable because most of the big security scares involving mobile have until now been theoretical—whenever someone has discovered a major vulnerability, there typically is little evidence the exploit was widely used for nefarious purposes.”

This Apple exploit should serve as a reminder to all of us that the smart phones we carry actually are very powerful computers, and our increasing reliance on them carries with it a risk that requires attention to good practices that will help mitigate that risk. Here’s an interesting look at the issue courtesy of Risk Management magazine.

If there’s a sunny note to end on, it may be this. I’ve seen estimates that around 2 percent of U.S. smartphones may be infected with malware, in sharp contrast to estimates of up to 40 percent of smartphones infected in Russia and China. This is a good race to trail in rather than lead.

By Tom Davis, SDI Cyber Risk Practice
September 13, 2016