Dozens of Journalists' iPhones Hacked With NSO 'Zero-Click' Spyware, Says Citizen Lab (techcrunch.com) 45
Citizen Lab researchers say they have found evidence that dozens of journalists had their iPhones silently compromised with spyware known to be used by nation states. From a report: For more than the past year, London-based reporter Rania Dridi and at least 36 journalists, producers and executives working for the Al Jazeera news agency were targeted with a so-called "zero-click" attack that exploited a now-fixed vulnerability in Apple's iMessage. The attack invisibly compromised the devices without having to trick the victims into opening a malicious link. Citizen Lab, the internet watchdog at the University of Toronto, was asked to investigate earlier this year after one of the victims, Al Jazeera investigative journalist Tamer Almisshal, suspected that his phone may have been hacked. In a technical report out Sunday and shared with TechCrunch, the researchers say they believe the journalists' iPhones were infected with the Pegasus spyware, developed by Israel-based NSO Group. The researchers analyzed Almisshal's iPhone and found it had between July and August connected to servers known to be used by NSO for delivering the Pegasus spyware. The device revealed a burst of network activity that suggests that the spyware may have been delivered silently over iMessage. Logs from the phone show that the spyware was likely able to secretly record the microphone and phone calls, take photos using the phone's camera, access the victim's passwords, and track the phone's location.
Targeting journalists (Score:1)
This one seems to be deliberately targeting journalists, which is worrying.
This source https://www.theverge.com/2020/... [theverge.com] suggests that it was groups associated with Saudi Arabia, which is worrying.
Journalism is getting to be a dangerous job.
https://news.un.org/en/story/2... [un.org]
Re: (Score:2)
Re: (Score:2)
Internet: Serious business.
No. Spying on Journalists is.
Re: (Score:2)
Seriously?!? This is serious business; and your only "contribution" to the discussion is to dredge up an ancient, hackneyed Anti-Apple meme?
Yes.
I'm so so so so so sorry, I didn't know it was "serious business", lol.
please let us all know when you write a piece of software the size and complexity of iOS or iMessage without any vulnerabilities
Pffft, I could do that tonight but Matlock is on in an hour.
Re: (Score:3, Funny)
Good thing Apple has a walled garden that keeps their users safe from being hacked. This kind of thing could never happen.
Re: Obvious problem.... (Score:5, Insightful)
Good thing Apple has a walled garden that keeps their users safe from being hacked. This kind of thing could never happen.
Or you could have Android; where this kind of hack wouldn't even be Newsworthy.
Re: (Score:1)
In general Google does a better job with security on their own code. Google has a much stronger security program, that has been around longer.
On the other hand, Apple seems to do a better job screening apps that they let into their store.
Re: (Score:1)
In general Google does a better job with security on their own code. Google has a much stronger security program, that has been around longer.
On the other hand, Apple seems to do a better job screening apps that they let into their store.
Who has been doing WHAT longer?!?
I think you've got some timelines backwards there, bub!
Re: (Score:1)
Google has a team focused on security that has been operating longer than Apple's security team.
That is because Google started focusing on security, and Apple started focusing on preventing people from jailbreaking. There's a huge difference between the two.
Re: (Score:2)
Do you realize what a jailbreak is?
Re: (Score:2)
Stopping a jailbreak is not the same as making your code secure. To make your code secure, you want it as open as possible so as many people can see it.
Apple did the opposite: instead of fixing their security vulnerabilities, they took steps to make it harder for jailbreakers to research their products.
Re: Obvious problem.... (Score:2)
Google has a team focused on security that has been operating longer than Apple's security team.
Prove it.
Re: (Score:2)
To begin with, I've read a bunch of Apple code and a bunch of the Google code, so I know.
Secondly, if you'd been around at the time, you'd know that the primary focus of iPhone "security" was to stop jailbreakers. If they'd been focused on security, they would have looked harder at their kernel code....
Re: (Score:2)
To begin with, I've read a bunch of Apple code and a bunch of the Google code, so I know.
Secondly, if you'd been around at the time, you'd know that the primary focus of iPhone "security" was to stop jailbreakers. If they'd been focused on security, they would have looked harder at their kernel code....
So, your answer is "Because I said so", right?
Ok, gotcha!
Re: (Score:2)
No, I gave a much more detailed answer than you did here [slashdot.org]. Wake up and give some evidence, you two-faced, stone-nosed sint comic. You have no evidence of that and you know it.
Re: (Score:2)
No, I gave a much more detailed answer than you did here [slashdot.org]. Wake up and give some evidence, you two-faced, stone-nosed sint comic. You have no evidence of that and you know it.
Still haven't seen one scintilla of proof.
You're the one making the allegation; therefore, you have the burden of proof.
Simply asserting that you have read some code and have some opinions regarding Apple's alleged motivations and priorities does not count as proof, BTW.
Re: (Score:2)
Simply asserting that you have read some code and have some opinions regarding Apple's alleged motivations and priorities does not count as proof, BTW.
Morons like you accept nothing as evidence.
Further evidence that you are a moron: you don't live up to your own standards. You give comments without proof.
Nope, Android is more secure. (Score:2)
However if you exploit one of the available system APIs and gain ability to use private Apple APIs, you can easily gain root access to the device. That's why there's been no real problem with finding jailbreaks - the attack surf
Re: (Score:2)
Nope, Android is more secure. Apple's iOS basically is an insecure leaking sieve.
Citation, please?
Sue Spyware Creators (Score:1)
If someone messes around with your stuff they should be sued.
Re: (Score:3)
Why can't these companies be sued out of existence?
spyware known to be used by nation states
I mean, the answer seems pretty obvious.
Re: (Score:1)
You still litigate the company that created(and knowingly sold) the software for the purpose of illegal use.
Sue, sue, and then sue again, repeatedly, from each person/entity involved.
You also start trying to pass legislation preventing this kind of software being sold at all.
Lastly, you start doing some investigative journalism on each of the companies employees. Every fucking one of them.
Re: (Score:2)
It would also be very difficult for an opposing state agent to claim foul ply while at the same time requiring state mandated backdoors in encryption.
Any quick way of detecting the infection? (Score:2)
Using iSH command line, not installing some one-use app.
Re: (Score:2)
Re: B-b-b-ut Apple protects my privacy! (Score:1)
My brother-in-law and that giant Apple billboard on 14th Street told me that iPhone is safe from all privacy invasions!
My GOD, could they be wrong?
Mods: interesting?!? In what conceivable way?
And BTW, Apple never said that iPhones are safe from "all privacy invasions". Show me where they did. I'll wait...
So you are a LIAR.
Re: (Score:2)
You might just be retarded.
Re: (Score:3)
C'mon, man, don't make me defend Apple.
Apple's security is about as good as other top-tier vendors' security.
With that said:
1. ~ All journalists use iPhones.
2. ~All iPhones are running the same version or just a few similar versions.
3. Developing an exploit for an iPhone gets you higher RoI than almost any other phone. So people focus on it.
Imagine the RoI on putting the same effort into developing a exploit for an LG Rebel with weird kernel hacks by Tracfone. It's basically not worth anybody's time.
Even
but seriously now (Score:1)
why do any messaging systems at all still support clickable links? that functionality basically exists now to spread malware
myself I simply will not click any link in any type of message full stop
Re: but seriously now (Score:5, Informative)
why do any messaging systems at all still support clickable links? that functionality basically exists now to spread malware
myself I simply will not click any link in any type of message full stop
Read TFS.
This exploit was serious enough that it required absolutely no action by the User. No one had to click on anything to become infected.
Live boot Linux phones needed and this is why: (Score:1)
Android and iDevices are walled gardens whose walls once breached trap the users.
Everything with inferior boot options to an enthusiast desktop motherboard is broken by manufacturer choice, but we tolerate crap because it's foisted on us.
Phones should be able to boot at user discretion from external media via USB and if the device they boot from is externally powered should be able to boot from any of the same typical hardware including non-writable CD/DVD since BIOS and UEFI are long-solved problems.
Users
Deliberate impediments are walls. (Score:4, Interesting)
Walls with windows remain walls. You're still confined to Android and a few custom phone-specific ROMs for all practical purposes though Linux distros can be run in containers. You can't boot a variety of distros on bare metal because Android makes rolling one's own much more work where practical at all. ROMs must be custom-built for the device. You cannot directly access or replace the phones firmware, just the bootloader. You cannot select from a wide range of boot devices because you're limited to bootloader mods.
You have every right to be happy that it suits YOUR use case, but it's still crippled by design. Consider Android didn't add something as basic as ethernet tethering until this year. https://www.androidpolice.com/... [androidpolice.com]
If you just need a phone to do ordinary consumer phone stuff that's fine. Others have different requirements the carefully imposed-by-Google walls deliberately interfere with. Must custom ROM users just want less bloatware which is fine for their use.
Every deliberate impediment imposed by software and hardware designers is a wall chosen to impose limits on users.
Every imposed limit imposed on phones (which are not more than small computers) vs. systems with greater user choice is a wall. There is no technical reason except keeping idiots from bricking their toys for the imposed limitations but most users never change UEFI settings on their PCs either and never install an operating system.
Walls are inflicted on customers to deter their easy use of utilities developed by techies wanting more control of their own device. (The desire for freedom is contagious!) There is no inherent reason a sufficiently powerful phone should not be a drop-in fully functional replacement for a desktop PC except maker choices to impede owner access. When I buy an object I want full control of what I paid for so I can use any subset of the options full control gives me.
What about older devices? (Score:2)