Mitigating Pegasus-Like Threats with Bittium Tough Mobile

Mitigating Pegasus-Like Threats with Bittium Tough Mobile

10.9.2021 | Author: Juha Eskelin, Director, Cyber Security, Bittium

Recent news about Pegasus have referred to "Zero click"- and "Zero day" as tactics to compromise a mobile device. The first term refers to a method where an attack is started without any actions required from the end user. The second one refers to exploiting vulnerabilities that aren´t (at the time of the attack) known to the device/operating system vendor.

Together Zero click and Zero day constitute a venomous combination that requires consistent approach and long-term commitment to maintaining security. Bittium is committed to security long term and some mitigations that Bittium has implemented can be found below. We will also list some guidelines for operational use and security policy management below.

Cyber-attacks against mobile devices oftentimes exploit multiple vulnerabilities and the goal of the attack (e.g. compromising confidential information) may require attacks that are implemented in multiple phases.

The recent news about Pegasus have been around Apple devices mostly. This is because Pegasus has been allegedly exploiting the Apple iMessage-vulnerabilities to compromise devices and data. iMessage only works on Apple devices and Apple devices provide extensive forensic capability to study compromised device to learn how the attack against the device was implemented.

Exploiting iMessage vulnerabilities is a key theme in the recent news. iMessage is service/application that is implemented by Apple itself and therefore it runs with more privileges than a regular application that gets downloaded from the App Store. Also, iMessage is an essential messaging service in the device. This means that an incoming message, for example, automatically passes through several operational layers within the device without the user having to do anything. Apple has improved iMessage security on several occasions, but it looks as if there´s more to do.


Generally speaking, there is nothing in standard Android operating system that would prevent threats comparable to iMessage. However, in standard Android devices, forensic capabilities differ from those of Apple's and therefore analysts have been better positioned to study attack tactics on compromised Apple devices.

Bittium Tough Mobile devices, however, greatly differ from standard Android devices from security perspective. Tough Mobile implements unique hardware rooted security and the accompanying Bittium Secure Suite software provides device management and data-in-transit protection. As part of the product development of Bittium Tough Mobile, Bittium has performed thorough threat analysis that also covers the threats caused by advanced malware/spyware like Pegasus. Based on this threat analysis, Bittium has implemented counter measures and mitigations to protect the device and user's sensitive data.

When deploying secure mobile solution, a key to sustainable security is a well thought out policy that defines how the device is to be used with the targeted security level. With Bittium Tough Mobile one concrete example of such a policy is a feature called application whitelisting. It is used to explicitly allow what applications can be installed on device. Malware originating from 3rd party applications is a common attack vector and with this one single policy item the security of the device can be greatly improved. Bittium Tough Mobile and Secure Suite support tens of policy parameters that can be applied for use case driven mobile security.

Among the configurable security parameters and hardenings implemented in Bittium Tough Mobile devices there are settings that allow the security policy to be disable unnecessary or risky network interfaces. These settings can be applied e.g., to prevent SMS and MMS message reception by device entirely. This mitigates an attack vector comparable to what Pegasus took advantage of in order to exploit Apple iMessage vulnerabilities.

If an attacker would be able to gain physical access to the device or would somehow be able to bypass some of the protections, the unique hardware based tamper detection feature would notice physical attacks against the device or changes in the operating system kernel or the firmware.

By following the principles of layered security, Bittium has implemented a multitude of security hardenings in Bittium Tough Mobile and regularly provides security updates. Bittium Secure Suite, in turn, enables easy to use and efficient parametrization of security policy and data-in-transit protection that protect the device and user data on the field and over the device lifecycle. Bittium's secure container feature provides additional layer of data isolation.

In addition to product features, Bittium's governmental and enterprise customers benefit of the long-term support that Bittium provides for its devices - also the security updates are available for extended period.

Juha Eskelin, Director, Cyber Security, Bittium

Mr. Juha Eskelin (MSc. Tech) works as the Director of Cyber Security at Bittium.

Mr. Eskelin has 20 years of experience of working with network security, as well as with mobile and IoT cyber security. During his career he has architected security products and communications protocols protecting critical infrastructure and other industries where security is paramount.