Malware Sold To Governments Helped Them Spy on iPhones

One of the world's most evasive digital arms dealers is believed to have been taking advantage of three security vulnerabilities in popular Apple products in its efforts to spy on dissidents and journalists, reports The New York Times. (Editor's note: the link could be paywalled, here's an alternate source). From the report: Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target's mobile phone, was responsible for the intrusions. The NSO Group's software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user. In response, Apple on Thursday released a patched version of its mobile software, iOS 9.3.5. Users can get the patch through a normal software update.The Washington Post reports that these "zero-day" flaws were previously used by the governments to take over victims' phones by tricking them into clicking on a link to a text message. Motherboard says that this is the first time anyone has uncovered such an attack in the wild. "Until this month, no one had seen an attempted spyware infection leveraging three unknown bugs, or zero-days, in the iPhone. The tools and technology needed for such an attack, which is essentially a remote jailbreak of the iPhone, can be worth as much as one million dollars."

Richard Stallman right again

[JoeyRox]

Every time Richard talks about closed-source phones being used to surreptitiously track users' movements, take photos, and listen in on their conversations he sounds like a madman. But he's right.

Re:

[SadButResolved]

He isn't mad, I'm sure you all will catch up to him at some point, he is just way ahead of you when he talks.
Hmm, Stalin's wet dream, hmmm, who else would love that kind of power and also gave the telco's immunity to prosecution. Hmm...
Wouldn't surprise me if you find Soros funds the firm that bought these hacks off the dark web and weaponized them.

Re:

[npslider]

Wouldn't surprise me if you find Soros funds the firm that bought these hacks off the dark web and weaponized them.

I agree.

But I have a question: What is Soros' end game? What goal is he striving to reach?

The dude's old and rich, what gets him out of bed in the morning? I know many say he eats green eggs and evil for breakfast, lunch, and dinner, but to what end?

I ask, because I do not know, not because I do not believe it.

One word: Replicant

[Ungrounded Lightning]

Replicant [replicant.us]

Android. Fork of Cyannogen Mod that is fully Open source. Even the drivers and firmware. Latest phone supported is the international version of the Galaxy S III (I9300) (2G and 3G but no 4G LTE). (Note: The U.S. version of Galaxy S III is a different motherboard and chip - the same model number on a different device.)

Stable release is a couple years old (4.2) due to thinning of the development crew. But the project got new blood (post-Snowden) and a 6.0 port (for the 19300 so far) is in alpha

Same model NAME!

[Ungrounded Lightning]

Latest phone supported is the international version of the Galaxy S III (I9300) ... Note: The U.S. version of Galaxy S III is a different motherboard and chip - the same model number on a different device.

The same model NAME on a different device. Model number is different, which is how you tell for sure you got the right one.

Re:

[farble1670]

"Replicant is a fully free Android distribution running on several devices ...

Several? Wow.

Curious though how you think the fact that it's OSS means it won't have any zero day flaws. Because, the OSS community is spending it's nights and weekends statically analyzing this particular OSS project?

Some (3-D graphics acceleration, GPS) are just not supported. (Use 2-D graphics and, if you really want your phone to know where you are, a plugin GPS device based on a different chip.) GPS is not supported because the phone's GPS chip also requires a proprietary CPU-land driver, which is an open-source no-no.

No 3-d graphics? No GPS? Plugin a GPS dongle? The awesomeness continues.

Re:

[npslider]

Closed source, open source, half-way open source - they all have holes the size of the Titanic, and are casing our privacy to sink to the bottom of the ocean. We have burned our life rafts and strapped ourselves to the deck. The problem is our dependence on these "conveniences" we can now not live without.

Convenience for ALL

[mi]

Closed source, open source, half-way open source - they all have holes the size of the Titanic, and are casing our privacy to sink to the bottom of the ocean.

Are you trying to say, governments haven't spied on and persecuted opponents before these modern-day conveniences appeared?

The problem is our dependence on these "conveniences" we can now not live without.

We can live without them, but the life will be, wait for it, less convenient.

They make living more comfortable. For everyone — including the s

Re:

[npslider]

Are you trying to say, governments haven't spied on and persecuted opponents before these modern-day conveniences appeared?

Yes, yes they have. But, never has it been easier. Modern "smart devices" are like having a KGB agent in every home, office, and bathroom.

We can live without them, but the life will be, wait for it, less convenient.

"Less convenient" these days is fast approaching "Impossible to live without" - practically the definition of addiction.

They make living more comfortable. For everyone — including the spies.

This makes spying much easier.. for the spies.

Re:

[geek]

Yes, yes they have. But, never has it been easier. Modern "smart devices" are like having a KGB agent in every home, office, and bathroom.

Mr. Madison, what you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.

Re:

[npslider]

Your microphone has recorded your words.
Your not really encrypted messages have been stored.
Your location has been logged.
Your search history has revealed your preferences.

This took mere seconds. Agents of old needed days.

This is progress gentlemen. Embrace it.

Re:

[NatasRevol]

Well, with open source phones, you don't have to do that surreptitiously.

Re:

[tlhIngan]

Every time Richard talks about closed-source phones being used to surreptitiously track users' movements, take photos, and listen in on their conversations he sounds like a madman. But he's right.

Yes, he is. That's why this malware sold for $5 million for 300 installs ($16,667 per install). And Android ones go for practically nothing.

That's the problem with iOS - Apple can offer a $200,000 bug bounty, which is among the most generous in the business that beats the $25k or $10k offered elsewhere. But even t

The tipping point

[npslider]

The more we depend on technology, the more vulnerable we become to those that use it to erode our freedoms and privacy. I enjoy the benefits of using technology, it has made many things more convenient, and has also stolen more of my time than I care to admit...

It seems though, that now, no matter where you are, and who you are, the leash attached to our connected technology is tied to an increasingly meaner and nastier junk yard dog that is very hungry.

Apple Just Released an Update to Address This

[lawyer boy]

http://arstechnica.com/apple/2... [arstechnica.com]

Re:

[Anubis IV]

It's seriously frustrating how one-sided the reporting is here. Summaries like these blast Apple while failing to state the obvious: that Apple has already patched...

What's that? They did mention it in the summary?

Oh. Uhh...what was I complaining about again? What was the point of your post in the first place?

Re:

[lawyer boy]

The summary didn't have a link to the update and the FA had the update information several paragraphs down from the top. I just wanted to highlight the fact that an update was out there and link to a short announcement that had the relevant information. I did not offer any commentary or complaint as to bias or quality re: the summary.

Re:

[tattood]

PEBKAC? There's no keyboard or chair involved in text messaging. I think you are referring to the ID-10-T error.

Constitutional Amendment

[Anonymous Coward]

Maybe it's time to pass a new Constitutional Amendment:

1. Requires all government agencies (public or secret) to disclose all vulnerabilities known or discovered; immediately to the vendor of the product, and after 30 days to the public at large.

2. Requires the government to immediately break all treaties with countries whose government policy AND practice does not include #1.

Re:

[jfdavis668]

Which countries constitution are you referring to?

Remeber when...

[OfficeLackey]

Remember back in the day when law enforcement abided by laws and followed evidence using people called "detectives" to prevent or solve crimes. No wonder reruns of The Shield, Law and order and all those CSI shows don't make sense to my kids.

correction: click on a link \*in\* a text message

[blibbo]

... Pedantic, but it effects the readability and meaning (mistake in summary not article).

If you are an interesting person

[AHuxley]

What are you still doing using an Apple product years after PRISM?
The cost of collect it all access is down from NSA, GCHQ budgets to been per case cheap for a city, state or local gov task forces.
If you have to have a new cell phone to be part all local culture, be seen with it as a no battery fashion accessory.
A never powered decoy phone seen in surveillance images could induce a sneak and peak investigation uncovering gov interest that the phone.
Tracking a networked phone is easy nationally, having