iPhone Flaw Exploited by Second Israeli Spy Firm

A flaw in Apple's software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, Reuters reported Thursday, citing five people familiar with the matter. From the report: QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients. The two rival businesses gained the same ability last year to remotely break into iPhones, according to the five sources, meaning that both firms could compromise Apple phones without an owner needing to open a malicious link. That two firms employed the same sophisticated hacking technique -- known as a "zero-click" -- shows that phones are more vulnerable to powerful digital spying tools than the industry will admit, one expert said. "People want to believe they're secure, and phone companies want you to believe they're secure. What we've learned is, they're not," said Dave Aitel, a partner at Cordyceps Systems, a cybersecurity firm. Experts analyzing intrusions engineered by NSO Group and QuaDream since last year believe the two companies used very similar software exploits, known as ForcedEntry, to hijack iPhones.

Less code = fewer points-of-failure

[Reiyuki]

I wonder if all these lazy security flaws will lead to smaller and simpler codebases? Probably not, but a man can dream.

Windows 2000 is probably more secure than 11 simply because there's so few things that can go wrong

Re:

[Valgrus Thunderaxe]

There's an axiom called Parkinson's Law [wikipedia.org] that posits work expands to fill all available employee's time.

It explains a number of phenomena such as why people are working longer hours even in the face of increased automation. It's relevant in this case, too, because in the case of a spy agency, you're not going to cut your spies loose at lunchtime, but you're going to increase their workload thus increase their spying.

Re:

[Merk42]

Fewer features too, and without new features every yearly update, people will be less and less interested in your product.

Re:

[Reiyuki]

I don't know about fewer features. Since Win2k we've lost animted .gif's in the photo browser, integrated sound recorder and calculator, and the IO performance was much better since there weren't 40+ extra services running in the background. I still have an ancient Asus EEEPC from the early 2000's running XP that does basic video+web browsing+office functions as well as my Win10 desktop.

Re:

[Merk42]

I wasn't referring to Windows, I meant if iOS stopped adding new features every release and/or removed them.

Re:

[Reiyuki]

Ah, gotcha. Though in a sense the same principles apply re: 'do a few great or do a thousand things OK'.

Re:

[antdude]

W2K was cleaner, simpler, etc. It was the best Windows version of all time!

Re:

[Reiyuki]

Yeah, 2K was definitely the pinnacle, but thankfully XP was almost as good. I'd still run it on my main desktop today if drivers were still supported.

Re: And iPhones costs a kidney...

[ArmoredDragon]

TFA speaks about phones in a broad sense, but these guys aren't actually breaking into Android phones, they're just breaking into iPhones. They break into some older Android phones, but not any recent ones, except maybe some cheapo third world brands that sell for $30 brand new.

Re: And iPhones costs a kidney...

[Ronin Developer]

Or, they are biased in their hacking and/or reporting.

But, it lends fuel to the fire why allowing side-loading apps is a bad thing.

Perfect or nothing

[burtosis]

It’s worth stating there is a large difference between nation state actors pouring billions of dollars into discovering and exploiting flaws in a system and some small group with no real expertise or money in a country with no extradition laws putting malicious links into ads. There will never be a defense against for former for everyday consumers while robust protection against the latter is achievable.

Re:

[phantomfive]

Meh. Before Apple bought them out, the jailbreaking community was finding a constant stream of security vulnerabilities.
Apple didn't fix them, they just made them harder to find.

Re:

[burtosis]

There is a pretty big gap between having unfettered access to the physical device and hacking it open from across the world with no interaction by the user. To the point it’s not really comparable at all. Also, this isn’t limited to iPhones, it’s a general truth.

Re:

[phantomfive]

iPhone jailbreaks are all done through finding security flaws.

Use vs. Abuse

[mi]

The same hammer can be used to punch nails building a house, or abused to smash nails (and fingers), when torturing someone [cnn.com].

was simultaneously abused by a competing company [reuters.com]

To use the term "abused" is to betray a POV.

The linked-to article does not provide examples of use by the company, that could be identified as abuse. In fact, it cites no examples of such use at all, which means, they consider any use to be abusive.

What would these same people have thought of Alan Turing's (ab)using his Mathematical (and

Re:

[splutty]

If it's an unpatched vulnerability, it's by definition being abused, since it's used in a not intended way.

Whatever they're actually using it for is in that respect fairly irrelevant.

Re:

[mi]

If it's an unpatched vulnerability, it's by definition being abused

I don't think, that's in the definition [princeton.edu], but you do.

Which also makes Alan Turing into an abuser, in your opinion. And so was this guy [slashdot.org] and others like him.

Re: Use vs. Abuse

[Rujiel]

The abuse comes when the software is sold to despots, drug gangs and other repressive states, like NSO group does.

does encrypting all my data help ?

[cats-paw]

if my phone's data is encrypted can these attacks somehow get through that ?
do they allow recovery of the key ?

i don't mean while i have the phone. if i ever enter my passphrase while it's owned it's no longer encrypted.

but if it's stolen, is the data still safe ?

Re: "For Government Clients"

[PPH]

Why is it legal for them to do it but not us?

They have bigger guns than we do.

Re: "For Government Clients"

[NagrothAgain]

Why is it legal for them to do it but not us?

Depends on the country. In a general sense, because the law allows the government to perform certain hostile activities in particular situations. It's not any different than asking "why is it legal for the police to lock a person inside a cage, but not us?"

iPhones Secure?

[Arzaboa]

Anyone that understands even the slightest bit about how the world works should know that these things are only as secure as the laws that protect data being subpoenaed.

As a regular user, the only thing I want my phone secured from is the random traffic cop, wife, lover, child, or misplaced phone. There are many ways to otherwise track a person outside of having their iPhone in your hand.

As a business user, iPhone are not on the list of "secured devices."

If a nation state wants to track you, they have many options. Your iPhone is only one of their options.

--
If you want total security, go to prison. There you're fed, clothed, given medical care and so on. The only thing lacking... is freedom. - Dwight D. Eisenhower

Relax, it's cool

[Great_Geek]

Why are people worked up over this? Israel is the "Good Guy" with a seal of approval by the USA. Before dissing this, you need to diss all the CIA/NSA/... hacks, backdoor, legal taps, illegal taps, and so on.

Re:

[sneazzy95]

For me, iPhones has no flaws. But it's just my opinion. https://tweakbox.mobi/ [tweakbox.mobi] https://tutuappx.com/ [tutuappx.com]