Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Iphone Security Apple

Despite the Hype, iPhone Security No Match For NSO Spyware (washingtonpost.com) 116

International investigation finds 23 Apple devices that were successfully hacked. From a report: The text delivered last month to the iPhone 11 of Claude Mangin, the French wife of a political activist jailed in Morocco, made no sound. It produced no image. It offered no warning of any kind as an iMessage from somebody she didn't know delivered malware directly onto her phone -- and past Apple's security systems. Once inside, the spyware, produced by Israel's NSO Group and licensed to one of its government clients, went to work, according to a forensic examination of her device by Amnesty International's Security Lab. It found that between October and June, her phone was hacked multiple times with Pegasus, NSO's signature surveillance tool, during a time when she was in France. The examination was unable to reveal what was collected. But the potential was vast: Pegasus can collect emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings and browsing histories, according to security researchers and NSO marketing materials.

The spyware can activate cameras or microphones to capture fresh images and recordings. It can listen to calls and voice mails. It can collect location logs of where a user has been and also determine where that user is now, along with data indicating whether the person is stationary or, if moving, in which direction. And all of this can happen without a user even touching her phone or knowing she has received a mysterious message from an unfamiliar person -- in Mangin's case, a Gmail user going by the name "linakeller2203." These kinds of "zero-click" attacks, as they are called within the surveillance industry, can work on even the newest generations of iPhones, after years of effort in which Apple attempted to close the door against unauthorized surveillance -- and built marketing campaigns on assertions that it offers better privacy and security than rivals.

[...] Researchers have documented iPhone infections with Pegasus dozens of times in recent years, challenging Apple's reputation for superior security when compared with its leading rivals, which run Android operating systems by Google. The months-long investigation by The Post and its partners found more evidence to fuel that debate. Amnesty's Security Lab examined 67 smartphones whose numbers were on the Forbidden Stories list and found forensic evidence of Pegasus infections or attempts at infections in 37. Of those, 34 were iPhones -- 23 that showed signs of a successful Pegasus infection and 11 that showed signs of attempted infection.

This discussion has been archived. No new comments can be posted.

Despite the Hype, iPhone Security No Match For NSO Spyware

Comments Filter:
  • by Tablizer ( 95088 ) on Monday July 19, 2021 @10:32AM (#61597473) Journal

    such that it's a matter of degree. If you have good security, only big crime organizations and state actors with billion-dollar-budgets can get in. If you have lousy security, then every script kiddie and their dog can get in.

    • Even when you have amazing security, shit happens. See my job as a Security Manager is infinitely harder than my job as a Blackhat hacker. A red team only has to find a single vulnerability a blue team must defend against both the known and unknown. Nothing is completely secure and as you increase security you increase complexity and cost. People tend to break physical security for convenience.
    • I believe we will see unhackable computers and operating systems appear in the next decade or so.

      Several U.S. universities recently completed an unhackable computer called Morpheus, which continuously alters its op-codes, making hacking unfeasible.
      • by Anonymous Coward

        The idea that unbreakable system pieces such as a so-called unhackable computer will provide for unbreakable systems is naive and fails to account for the scope of the problem.

        A functioning system consists of multiple pieces, communication methods, operating systems, operational software, and of course: people. All of these items have to be as unbreakable as the "unhackable" computer.

        Anything above a trivial level of complexity will have weaknesses and will be only as invulnerable as the weakest link.

        • by Tablizer ( 95088 )

          Indeed. It may be fool-proof at the binary level, but a bad API or OS bug could still give hackers admin access. We could have super-simple OS's and software, but then we'd sacrifice features and/or development time.

          It would be hard to compete if your product is say 5x costlier than the competition. Customers will be dubious of your claim that it's "significantly more secure". They have no direct way to verify. Customers/consumers can only go by what they can verify, and careful security engineering is hard

        • I believe that above computer would be unhackable, it would also not be capable of of running any software

          which continuously alters its op-codes

          The ultimate in trading convenience for security.

          • You only have to stop it from being able to install and run new software; eg, be appy. If it can't app, it doesn't need to be hackable.

            Eventually we'll presumably figure out what tasks we actually want to carry around in our pockets, and then we can just have devices that do those things, and don't update or install anything at all.

            • > Eventually we'll presumably figure out what tasks we actually want to carry around in our pockets, and then we can just have devices that do those things, and don't update or install anything at all.

              How much would you pay per month for that device?

              If you answered anything less than 30 2021 dollars, there is precious little motivation versus things you can pay for apps on.

              If you answered something like, oh I will just buy it once, it does not even update!
              â¦then you will be waiting a long time

      • So here's the thing - if you can access the bank web site on the device, so can I.

        I'd they actually scrambled the opcodes (they didn't), indeed it would be harder for me to exploit the device, because I'd have to use the translation table just like I do for polymorphic malware, which actually does apply a random function to the opcodes. (Meaning F is a member of function family R, NOT like Java random()). HOWEVER, that would also make it ~ impossible for YOU to use the device, because you don't know what t

    • by Surak_Prime ( 160061 ) on Monday July 19, 2021 @11:31AM (#61597757)

      You know... at least until the tools the big boys develop get out onto the 'net and into the hands of the script kiddies.

      • Please mod parent up: We currently have the CIA's toolchest of hacking, surveillance, & offensive software out in the wild. CIA & FBI employees moonlight for private security firms so industrial espionage with govt. tools is also an issue. All this weakens agencies' internal security, making international leaks more probable.
        • by GoTeam ( 5042081 )
          Maybe they never realized that creating software "weapons of war" would be a bad idea. When is the last time a 16 year-old took an F-35 or M1A1 Abrams out for a spin? Not the easiest thing to do. Now software... it seems like if you are determined enough, you can get the government made software weapons pretty easily. Both tools can cause chaos, but one is a bit easier to get and replicate.
    • The problem is a lot of people think good security is just a technical thing. While there is a larger and more complex social and policy issue that needs to be addressed.

      No matter how many million or billion of dollars you put into security. If Mr. Bossman decides to click on that link, installs that software (because he is the Boss so you cannot say No for his request for elevated access) Then boom, your whole organization is down. Despite not being able to get in from the outside.

      • I wonder if anyone has developed a clever "bossman" config which gives them the apparent elevated access with no restrictions (which is mostly web browsing) but in a way where they're breached, it doesn't matter much.

  • These kinds of "zero-click" attacks, as they are called within the surveillance industry, can work on even the newest generations of iPhones, after years of effort in which Apple attempted to close the door against unauthorized surveillance -- and built marketing campaigns on assertions that it offers better privacy and security than rivals.

    Bars pretty low on the competition anyway.

  • by NateFromMich ( 6359610 ) on Monday July 19, 2021 @10:33AM (#61597479)
    Just keep that in mind and you should be ok. Just assume all the data on it can be viewed by a government entity whenever they feel the need.
    • by Tablizer ( 95088 )

      Shit, Xi then knows I'm wanking off to his wife. That's okay, he's probably wanking off to mine.

  • It's harder for me to believe that uber-elite hackers have uncovered all these unpatchable zero-day vulns than it is to believe that Apple was just forced to leave the door open for the spies.

    • by raymorris ( 2726007 ) on Monday July 19, 2021 @11:55AM (#61597841) Journal

      It's hard for you to believe that the millions of lines of code in Apple's software has a few mistakes? A couple things the developers didn't think of?

      If it's truly hard for you to imagine that people make mistakes, or overlook things, I can only assume you haven't met very many humans.

      I TEACH programmers how to make more robust software.
      I've been studying how to make better, more secure software for over 20 years. Still, my code is nowhere near perfect.

      • It's hard to believe that whatever persistent vulnerability these tools exploit has remained unpatched. I don't get the impression that NSO group is using a new exploit every other week as their previous hole gets closed. They wouldn't be able to guarantee the results the do if they don't know they'll have the same access a week from now. Maybe I'm wrong.

        • Thry only need to find a new one when Apple stumbles upon the one they're using. Which seems to be about once every 18 months or so.

        • If you look at the IOS update cadence [wikipedia.org], the zero-day exploits are really several-months exploits. Apple likes to push large updates, whereas small security patches would be more desirable. I don't care about the broken in a fresh new way itunes update. Give me the crucial security updates as soon as you have them throughly tested.

          • It's already hard to get people to install updates, and people complain ferociously if you install updates without them asking. If you increased the cadence to, say, twice a month, some people would just stop updating their phones. They'd see the red badge and learn to ignore it. You could legitimately make the problem worse by increasing the update frequency.

            I was on the beta track of Telegram for a while, and it would pop up an Update badge several times a week. Sometimes several times a day. I started hu

            • So decouple those updates from the system itself. Turn them into apps. This is how Google has been trying to combat fragmentation in Android, and it's working to some degree.

              Regardless, Microsoft learned that update cadence for critical security risks is a bad thing. They release critical updates as soon as they're available now. Apple needs to catch up
      • by AmiMoJo ( 196126 )

        We had the source of the GOTO Fail vulnerability. It was interesting, the sort of thing that static analysis should have pulled up. That suggests that Apple doesn't do static analysis, or at least not 100% coverage.

        In fact if they had a decent set of compiler warnings enabled it would have flagged up unreachable code.

        If it wasn't deliberate it was a pretty alarming mistake.

  • ... and shit like this is why I still own and use a POTS analog landline and rotary dial phone. In the US at least, you need to go through a bunch of procedural paperwork in order to legally tap my line. It's not perfect, but its a LOT better than the cell-phone world.

    • But what's the point? As soon as you speak to someone, I bet 99.9999% of your calls end up on a cellphone.

      • Actually there is only one person whom I talk to on their cell, the rest is office phones.

        • by larwe ( 858929 ) on Monday July 19, 2021 @11:09AM (#61597669)
          Office phones. So you mean VoIP phones connected to an on-prem Windows or Linux server thatâ(TM)s SIP trunked to the PSTN (over the Internet), probably managed over the Internet, and internally within the office, traffic carried by commercial Ethernet switches et al. No possibility of compromise there! Heck, a great many office phones directly connect to a cloud PBX over the Internet. You canâ(TM)t possibly believe youâ(TM)re on a secure connection unless you control AT LEAST both ends of it.
    • Do you have reason to think that you are interesting enough to spy on?
    • OMFG your not serious are you. I can tap your line with $5 in parts and about 15 seconds in time, and never even touch your property. Phreaking was much bigger than hacking. The PSTN was the original playground.
    • by Anonymous Coward on Monday July 19, 2021 @12:28PM (#61597999)

      Having been a POTS guy for several decades I can tell you definitively that faith in the security of your "analog" rotary calls is severely misplaced.

      It is only analog between you and the Central Office at most, after that it is all digital. Most of the communication has been converged onto IP out of the CO. The entire telephone system is ancient and has mostly security by obscurity. Things like caller id and local number portability depend on assumptions that they are secure rather than actually being engineered from the ground up to be hardened. All of the weaknesses have roots in an ancient system that has had to maintain backwards compatibility while requiring changes to be acceptable to any incredibly diverse user base of telcos and national interests.

      SS7 security is a joke.

    • by tgeek ( 941867 )
      You don't know the old joke about the NSA's phone number? "You don't need it - you just pick up your (POTS) phone and start talking"
    • Legally? When did that start mattering?

  • Researchers have documented iPhone infections with Pegasus dozens of times in recent years, challenging Apple's reputation for superior security when compared with its leading rivals, which run Android

    No security is 100% effective, especially not when you are talking nation level funding and expertise devoted to finding holes, and the ability to deliver over something like an SMS network.

    But this statement seems to be making the claim that somehow Android is immune to this attack as well? I don't think so.

    • Android could very well be immune to this particular attack, because Android doesn't have iMessage.

      What I'm wondering about, however, is this part:
      "Amnesty's Security Lab examined 67 smartphones whose numbers were on the Forbidden Stories list and found forensic evidence of Pegasus infections or attempts at infections in 37. Of those, 34 were iPhones -- 23 that showed signs of a successful Pegasus infection and 11 that showed signs of attempted infection."

      So if all iOS devices are vulnerable, how did those

      • by XXongo ( 3986865 )

        Android could very well be immune to this particular attack, because Android doesn't have iMessage. What I'm wondering about, however, is this part: "Amnesty's Security Lab examined 67 smartphones whose numbers were on the Forbidden Stories list and found forensic evidence of Pegasus infections or attempts at infections in 37. Of those, 34 were iPhones -- 23 that showed signs of a successful Pegasus infection and 11 that showed signs of attempted infection."

        And you should wonder about that sentence. It lists the number of smartphones examined but then quotes the number of iPhones hacked. Without knowing what fraction of the phones were iPhones, the sentence tells us nothing useful about the relative hacking of iPhones and Android phones.

        (but... the fact that 11 of the iPhones has attempts at hacking thad didn't succeed is also interesting. Presumably there had been a software patch that closed the hole? but some phones had been infected before the patch came

        • The proportion of iPhones hacked almost doesn't matter either. Presumably most people being hacked are fairly wealthy or have something else interesting about them, and we know that iPhone owners tend to be better off. If 100% of people that have something worth hacking own iPhones, then 100% of phones hacked will be iPhones. So you'd also have to know the demography of the targeted group.

      • by srg33 ( 1095679 )

        Just my speculation: maybe the attempt is/was the message and the infection needed to leverage a vector in another fairly-common but not universal app?

      • So if all iOS devices are vulnerable, how did those 11 devices ended up not being infected? Something's wrong here.

        Software version differences(maybe it's a new exploit to iOS14), MDM configuration, presence of certain settings or other software packages that may not be universal, certain permissions granted to certain apps, etc etc etc.

    • by srg33 ( 1095679 )

      Come on fanboy.
      You know (grammar) that the article did not (implicitly/explicity) indicate that Android is/was immune to anything.
      The point is that Apple claims superiority and does not seem to deliver.
      The simple fact is that a text message should not have the ability to do anything; the messaging app. can notify the user of the arrival etc.
      But, remote code execution here is ridiculous: Apple failed.

      • by XXongo ( 3986865 )

        ...The point is that Apple claims superiority and does not seem to deliver.

        More specifically, the point is that Apple claims superiority but does not seem to be perfect.

        Not enough info in the article to tell if they're superior or not. The article does show that they're not perfect.

    • "Researchers have documented iPhone infections with Pegasus dozens of times in recent years, challenging Apple's reputation for superior security when compared with its leading rivals, which run Android"

      That statement is clearly saying that Apple doesn't have SUPERIOR security. Being superior to something means "better than". How does that suggest saying that Android is immune? The most likely reading is they're equally hackable. The only other alternate reading is Android is better; but better still w
      • "Researchers have documented iPhone infections with Pegasus dozens of times in recent years, challenging Apple's reputation for superior security when compared with its leading rivals, which run Android" That statement is clearly saying that Apple doesn't have SUPERIOR security. Being superior to something means "better than". How does that suggest saying that Android is immune? The most likely reading is they're equally hackable. The only other alternate reading is Android is better; but better still wouldn't imply completely immune. But of course, if you didn't misunderstand things then go off on the meaning you've imagined, I could see it posing quite the challenge for your other beliefs, Kendall.

        I would take your comments seriously if it cited a real world comparison of Pegasus infection rates between iOS and Android. However, since you went for "Apple device security sucks because somebody on the internet who is hidden behind a shitty paywall says so!!!" I'm going to write you off as either an idiot, a troll or both rolled up into one.

        • I was talking about the English language meaning of the quoted comment, not making a determination of whether it's true or false. Reading comprehension people, really. Write yourself off as having the reading comprehension of a toddler. Direct your attacks at the author of them.
    • No, the statement just said what it pretended. You're the one that is reacting as a fanboy.
    • Seriously just becoming a carrier and your golden. All these MVNO companies work on the honour system.
    • Far from, but Apple iPhone is used by almost all the wealthy and important individuals here in the U.S. so it's no surprise that NSO is targeting iOS.

      Android is for the plebs.
      • by tsqr ( 808554 )

        Far from, but Apple iPhone is used by almost all the wealthy and important individuals here in the U.S.

        Well, at least that's what Apple would like to be the case. I don't suppose you have a credible citation to back up that statement, or a rational explanation of where the "plebs" are getting the money to buy $1000+ Samsung phones?

    • by raymorris ( 2726007 ) on Monday July 19, 2021 @12:09PM (#61597899) Journal

      The school of Cybersecurity at Georgia tech did a study on that. A peer-reviewed study led by people who have PhDs in the field, not random fanbois on Slashdot.

      What the study found is that in the default configuration, not side-loading "hacked" apps from warez sites, both platforms are actually very secure. Far above Windows, for example.

      The proportion of infections was about the same for iOS and Android, both far better than Windows.

      • Please repeat that study with the third option: an Android phone with only apps from F-Droid and no Google account. Asking for a friend.
        • While I don't have a proper study for F-Droid, I can share my viewpoint as a career security professional who is also an open source developer.

          I would be comfortable installing from F Droid if and only if:

          I actually need the app. Any app is a risk, so don't install shit you don't need.

          I've looked at the permissions on the app and they make sense.

          Often, the permissions on PUP give it away because most people don't bother to look at permissions. So the authors of these apps often don't bother with any sophist

          • Thank you for your time and answer. Makes sense, to avoid drawing over, and to check the permissions. On F-Droid, the permissions are very restricted, and typically explained in detail. I've yet to come across a permission request that I found doubtful. But then, I also stick to your other point, only install what you really need. Everything eats up memory and battery. I think the last 3 programs I installed were official government Corona apps...
    • by AmiMoJo ( 196126 )

      Would be interesting to have a list of vulnerable phones. iPhones are very common so are a lucrative target, but I bet a lot less effort goes into cracking say a Google Pixel's security.

    • The simple fact remains that Apple has been head and shoulders above Android for everyday security that protects against most spy/malware.

      This "simple fact" isn't actually true. By every objective measure I know of -- CVE count weighted by severity, hacking competition results, 0day payouts -- Android security is better than iOS. Of course, this assumes that your Android device has received the latest security patches and doesn't contain any manufacturer-installed malware (which is especially problematic among lower-tier devices).

      Interestingly, I think the reason Android security on patched-up devices from good OEMs is better than iOS is because Android OEMs fail so badly at delivering security updates. The Android Security team at Google (of which I'm a member) has had to focus on developing resilient security infrastructure because we know that many devices won't receive updates when vulnerabilities are found. The most important such component is SELinux, and the very restrictive way it's configured on Android devices. The result of that effort is that when an attacker finds a vulnerability that gives code execution in one system component, they usually find that their exploit doesn't actually get them to anything of value. At best it offers them a springboard from which they can try to exploit some other vulnerability, and so on until they maybe eventually reach something of value. Successful modern Android exploit "chains" tend to require sequences of 5-10 separate vulnerabilities. This makes successful exploit chains rare and hard to find.

      iOS, in contrast, has little of the internal firewalling that Android has, and as a result it typically only takes one or two vulnerabilities to completely compromise the OS. The reason that iOS hasn't focused on developing resilient security is simple: Apple can react quickly and effectively to patch vulnerabilities when they're discovered, because Apple controls the updates.

      But when you have an Android device that both has all of that internal compartmentalization and the latest security patches, the result is very good. Look at the history of MobilePwn2Own competitions, for example, and you'll find that the only phone that typically survives unscathed is the Google Pixel, and that the most-broken device is the iPhone. Similarly, look at Zerodium's 0day payouts.

    • Are you seriously saying Android is immune?

      MacOS doesn't have the same vulnerabilities as Windows. I can't exploit a Windows Print Spooler zero day on MacOS. So, yes, it's entirely likely that "pegasus", as a defined software exploit, doesn't affect Android. Android has its own

  • Um, duh? (Score:5, Insightful)

    by argStyopa ( 232550 ) on Monday July 19, 2021 @10:42AM (#61597531) Journal

    If the NSO doesn't have at least a handful of people in critical roles in both Google's Android OS teams and Apple's iphone teams (as well as any other dominant phone developer) I'd be both fucking astonished and frankly a little disappointed.

    To be clear, I mean surreptitiously, NOT with the awareness or agreement of those firms.

    They may well have people officially on their teams to liase with the government, but intel organizations would be pretty incompetent not to have wormed someone onto those teams (or suborned someone already there) that they're NOT aware of and very likely might be one of the more passionate "don't cave in to fucking Uncle Sam, yo!" characters, although frankly that would be a bit obvious.

    • I have to think it would take more than one or two plants at Apple and Google to ensure certain exploits exist or stay unpatched. Occam's Razor tells me these co's are being forced to allow ways in.

      • A back door into their developer network would let them install "flaws" granting the access they want, and also allow scanning the source code for flaws. Or they could show management a National Security letter ordering the back door and not worry about it getting removed. Or they could threaten to ban any phone that doesn't have government back doors.
        • The NSL is what I believe happened. Even one person granting a bad actor access to the developer network would be detected, no?

    • Why not organized crime has and apparently some unfriendly governments.
    • by AmiMoJo ( 196126 )

      There is still some anti-Semitism because of this worry in engineering. Stuff might get back to Israel and be weaponized, the engineers might be malicious or agents of the Israeli government/some Israeli corporation.

      Very similar to the sinophobia experienced by Chinese people in engineering at the moment.

      Of course for some of us the bigger concern is National Security Letters, or NSA/GCHQ not disclosing issues they found.

      • by ebvwfbw ( 864834 )

        Really Ami? Security is not anti-Semitic or anti-anything else. There is no such thing as sinophobia. Let's stop with the made-up word BS and PC.

        Work with someone at the Taiwan embassy downtown and ask them about China. I have. You have to understand China wants them back and wants to kill a lot of them. That's no sinophobia, that's the hard truth reality. There is also the fact they ARE Chinese. China in fact does bad and even horrible things. It's the ideology that's bad, not the people.

        Security is securi

  • Stallman (Score:5, Insightful)

    by Parker Lewis ( 999165 ) on Monday July 19, 2021 @10:55AM (#61597603)
    Let's pretend that Stallman never alerted about those scenarios.
  • Nothing in the article supports the assertion that Android phones are immune to Pegasus attacks. It does make it clear that iPhones are not immune, and possibly even less secure than their Android counterparts, despite Apple's marketing to the contrary.

    Of course, if you are part of Google's Android universe, there may not be any need for Pegasus. The right nation state may only need to ask their liaison at Google for everything the know about you.

    • That should be the takeaway: iPhones are vulnerable to known attacks. Androids may no be vulnerable to the same attacks but that does not mean they are invulnerable to any attacks.
      • That should be the takeaway: iPhones are vulnerable to known attacks. Androids may no be vulnerable to the same attacks but that does not mean they are invulnerable to any attacks.

        Certainly not. However, I think there is good evidence that patched-up Android devices from quality manufacturers (yeah, lots of qualification there) are significantly less vulnerable than iPhones. https://apple.slashdot.org/com... [slashdot.org]

    • by AmiMoJo ( 196126 )

      Remember that Apple is the one which operates in China, under Chinese rules which include the law requiring them to assist the government with access to data. Chinese iPhone user's data is stored in China.

  • by TimHunter ( 174406 ) on Monday July 19, 2021 @11:08AM (#61597663)
    From the main story about the NSO software https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/?itid=lk_inline_manual_14 [washingtonpost.com]

    Amnesty's Security Lab examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration.

    For the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, Androids do not log the kinds of information required for Amnesty's detective work.

  • I hereby advise Apple to switch to a micro-kernel type architecture for its operating system, which is much safer, even if the software running on top of it isn't.
  • It's worth noting that, on iOS phones, iMessage can be switched off, resulting in all text messages using SMS. Personally I prefer this setting because I don't want my text messages received on other devices that share my Apple ID.
    • by nadass ( 3963991 )
      How many actively-used devices do you have (but not use) which share your *free* Apple ID?!

      If you're actually concerned for eavesdropping, then you would activate another Apple ID rather than share your primary account across devices you do not exclusively use...
  • We canâ(TM)t really know anything without some more information. If they donâ(TM)t have it, how can they know the infection was succesful?

  • and produce an update that renders this NSO malware/spyware inert and useless to the goons & spooks that use it against iphone users
  • So how does one go about detecting this on an iPhone ?
    • Very simple - and this works across makes / models of cellphones:

      If you're a political activist, a union leader, an elected official, a CEO of a large company, an international spy or some other kind of person of interest, your cellphone is likely compromised by some sumbitch's spyware for nefarious purposes.

      If, on the other hand, you're a ordinary person - like 99.9% of the population - then you're only spied upon by Apple or Google for crass commercial reasons.

  • by dromgodis ( 4533247 ) on Monday July 19, 2021 @01:14PM (#61598213)

    From TFA:

    an iMessage from somebody she didn't know delivered malware directly onto her phone

    and

    she has received a mysterious message from an unfamiliar person -- in Mangin's case, a Gmail user going by the name "linakeller2203."

    I don't think you can send imessages through gmail, so which vector did she get infected through?

    • You can configure iMessage to display a verified email as the senderid.

      An iPad without cellular service for example can send iMessages with user@example.com in the sender field.

      Even an iPhone user can trivially change a setting to do this.

  • I don't listen to Apple's advertising on how good their security is. I only look at how difficult they say their own systems are to break:

    https://developer.apple.com/se... [apple.com]

    Below this is converted to the price of one median Apple engineer (USD 300k/yr, no benefits) working on an exploit.

    iCloud

    Unauthorized access to iCloud account data on Apple Servers / 4 months

    Device attack via physical access

    Lock screen bypass / 4 months

    User data extraction / 10 months

    Device attack via user-installed app

    Unauthorized a

  • The phone hardware, telecom network gear, and servers the phones connect to are compromised. The only way to have secure communications is to not be even be near a mobile phone.

  • If NSO can deliver payloads that will silently and effectively hack the phone of any target the purchaser chooses, then it is reasonable to assume that the same company also sells solutions to prevent this. After all, they know the capabilities and weaknesses of the software they write. The company also has a need to prevent their own products being used against themselves.

    And if use of the software can be bought for a certain sum of money, then the countermeasures to render it ineffective will fetch many

    • > If NSO can deliver payloads that will silently and effectively hack the phone of any target the purchaser chooses

      Why not put a hardware read-only switch on the phone. Oh wait, then the spooks won't be able to remotely compromise your “secure” communications.
  • Isn't it illegal to produce a totally secure mobile phone. At least it is in the European Union. Security is secure enough to keep out the casual hacker but not the state security apparatus. Apart from the NSO Spyware, there must be half a dozen ways of back-dooring the equipment. assurances otherwise from the manufacturers are entirely specious.
  • Lets hope Apple gets a look at this so they can pull the malware apart and figure out how it works and fix the flaws its using to get in.

  • by shm ( 235766 ) on Monday July 19, 2021 @07:45PM (#61599327)

    The analysis says that iOS has logs which helped them find the breaches while Android does not have the equivalent.

    Doesnâ(TM)t Android ship logs to a developer if an app crashes?

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...