1

The Trident memory zero-day, zero-click vulnerabilities (exploits critical to NSO Pegasus success) were supposedly patched on iOS by Apple:

  • CVE-2016-4657
  • CVE-2016-4655
  • CVE-2016-4656

Android phones are presumably still vulnerable. And since 1000s of phones were recently found to be infected by Amnesty International, perhaps the latest NSO Pegasus succeeds without Trident. How can I find out whether iOS devices remain vulnerable to Pegasus?

References:

hobs
  • 161
  • 6
  • What do you mean by "updated"? iOS should be updated nearly every month to maintain a window of vulnerability bellow one month. But the truth about unsecure software is that it may be vulnerable to another vulnerability the day after the pach. – dan Jul 22 '21 at 16:46

1 Answers1

8

NSO Pegasus does not refer to a static software but it is a continuously evolving product, which will be adjusted to what is currently needed to evade the detection. The security issues that you refer to are also not Pegasus software itself, but these are the security issues which were used to silently install the software on the devices. The attacker will also adapt these delivery methods to whatever currently works.

Therefore it is not possible to make a generic statement if iOS devices are safe against NSO Pegasus or not. They might be safe for a specific previously used attack vector, which does not mean that they are safe against all possible attack which are currently or in the future known to NSO.

DDC
  • 113
  • 4
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424