back

Pegasus internals

Technical Teardown of the Pegasus malware and Trident exploit chain

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:29:38
Language
English
Abstract
This talk will take an in-depth look at the technical capabilities and vulnerabilities used by Pegasus. We will focus on Pegasus’s features and the exploit chain Pegasus used called Trident. Attendees will learn about Pegasus’s use of 0-days, obfuscation, encryption, function hooking, and its ability to go unnoticed. We will present our detailed technical analysis that covers each payload stage of Pegasus including its exploit chain and the various 0-day vulnerabilities that the toolkit was using to jailbreak a device. After this talk attendees will have learned all of the technical details about Pegasus and Trident and how the vulnerabilities we found were patched.

Presentation Outline:

1. Introduction
Introduction to the talk and the background of the speaker
2. Technical Analysis
In the technical analysis section we will cover in-depth the three stages of this attack including the exploits and the payloads used at each stage. We will detail the obfuscation and encryption techniques the developers used to hide the payloads. We will also examine the 0-day vulnerabilities, called Trident, that we found, which allow for a remote jailbreak on the latest versions of iOS (up to 9.3.4) via Safari.
* 0-days (responsibly disclosed to Apple)
* Malware techniques
* Obfuscation and encryption techniques
The technical analysis will continue and detail the software that gets installed including what it was designed to collect, which includes texts, emails, chats, calendars, and voice calls from apps including Viber, WhatsApp, Skype, SMS, iMessage, Facebook, WeChat, Viber, WhatsApp, Telegram, Vkontakte, Odnoklassniki, Line, Mail.Ru Agent, Tango, Pegasus, Kakao Talk, and more.
* Application Hooking
* Use of SIP for exfiltration
* Historical Analysis of jailbreaks
We will detail how the jailbreak techniques used by this software have changed and adapted to the changing security mechanisms added to iOS over the years.
4. Summary and conclusions

Talk ID
7901
Event:
33c3
Day
1
Room
Saal 1
Start
5:30 p.m.
Duration
00:30:00
Track
Security
Type of
lecture
Speaker
Max Bazaliy
Talk Slug & media link
33c3-7901-pegasus_internals

Talk & Speaker speed statistics

Very rough underestimation:
139.7 wpm
803.4 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  
100.0% Checking done100.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
139.7 wpm
803.4 spm
objectkernelpegasusmemorydeviceexploitcodecallstackapplicationthingstagejavascriptgarbagelengthprocessproblempointerexecutionsecondobjectsreferenceuserheapcasearraydataviewjailbreakcalledtypeshellcodepropertybuffercreateosnumberremotemarkedargumentbufferpropertiesmethoddeallocatedslowappendrealbadsecuritydatalinkcitizenlabbitexploits