Aug 25, 2016

What's the difference? :)

It's explained in detail here: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegas...

Apparently it overwrites a system binary that's launched on boot with another apple-signed binary "jsc" (a console javascript interpreter), which will evaluate some sort of .js that re-exploits everything. Pretty clever to re-use apple-signed binaries for nefarious purposes. (The binary must be apple-signed because when booting the kernel isn't exploited yet and so it enforces code signing, obviously).

Aug 25, 2016

Direct links to other resources:

Technical analysis: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegas...

CitizenLab analysis of the nation-state side of things: https://citizenlab.org/2016/08/million-dollar-dissident-ipho...

Apple update: https://support.apple.com/en-us/HT207107

Aug 25, 2016

Here are the full technical details: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegas...