> We were unable to retrieve these binaries from flash memory, as we did not have access to a jailbreak for iPhone 11 running iOS 13.5.1.
It’s ironic that the exploit is able to plant arbitrary code on an up-to-date device and yet the owner of the phone can’t introspect their phone to see it themselves because they don’t know how to bypass the protections :/
How come when we hear about this stuff it is always Israeli companies involved? Is ethics not taught in Israeli Computer Science curricula? Those who wrote this exploit are clearly "brilliant" and at least some of them are bound to be reading Hacker News. Is other countries' spyware firms just better at hiding their malware than Israel's is?
> How come when we hear about this stuff it is always Israeli companies involved?
Everyone seems to be focusing on the "always" in your statement, so i'll ignore that and give you a straight answer.
Strong investment in STEM education, after school programming and computer security programs, mandatory military service where they get a chance to evaluate everyone and funnel the smart technical folks in to Unit 8200, and heavy investment into security startups.
Israel also benefits from everyone else depending on their tools. Not only do they get to see the intelligence being collected by other countries and gain insights into their espionage operations, they also would be able to piggy back into any networks that were of particular interest.
Israel has mandatory military service and part of it's military is an elite hacking group known as Unit 8200[0]. Members of this unit who leave the military have founded a huge number of information security and antivirus companies based in Israel (mostly in Tel Aviv)[1].
It's not always Israeli companies. For example we have seen attacks in journalists, NGO workers and activists from Hacking Team which is Italian, Finisher / Gamma International which is Germany or British (IIRC), then there are other hacking groups for hire from India. Of course then there is state stuff from Russia, China amongst others.
When HackingTeam was exposed, no one was asking to sanction Italy. Hating on Israel specifically is a very cool and woke thing to do. Has been for decades.
It’s called selection bias. It’s fun and always acceptable to hate on Israel. It’s also more memorable due to the sensationalization of it.
A few years ago bluecoat systems was caught providing deep packet inspection gear to the Syrian government. But that wasn’t Israel so no biggie and you either never heard about it or didn’t pay much attention because it wasn’t Israel.
American and European companies do this all the time but it’s not sensationalized to the same degree. That’s just business as usual.
> How come when we hear about this stuff it is always Israeli companies involved? Is ethics not taught in Israeli Computer Science curricula?
Personal opinion, but I think the mandatory army service in Israel seems to teach that everything is 'defense' and Israel is always 'defending itself', no matter what, this sort of thinking then bleeds into the private sector as these guys leave the military and use the skills they learned there to establish businesses.
Having interacted with the Palestinians during their army service as 'the enemy', the victims of NSO undoubtedly fall into the same category, thus not worth loosing their sleep over.
If I had to guess.... as a person who once did a fair amount of business in the middle east, but Egypt and not Israel...
I had a former customer there _go out of business_ when the Barack Hussein Obama (mmm mmm mmm!) administration supportd an attempted putsch by (in my customer's words) "The Retarded F___ing Nazis who killed Sadat for making peace with the Jews."
Israel and the non-Brotherhood Arab countries face the burdensome situation that their most reliable "ally" is a country that depending on the politics is going to support the Brotherhood _and_ the large wannabe-hegemonic Russian satellite state trying to develop nuclear weapons. (Oh, and funded said state's reconquest of Syria in the process). Said schizophrenic state also has a massive surveillance system of its own.
My guess: they all don't look at this as a violation of civil rights or ethics, they look at this as a means for the little countries like them to get a leg up on some of the insane intelligence agencies of the large countries that are funding enemies both domestic and foreign.
It was awesome when Facebook deleted NSO group employees personal profiles. And then they whined about it. The silver lining of Facebook owning WhatsApp.
As someone that isn't a developer, I wonder how many zero days come from people inside the software team. To simply have knowledge of a difficult bug that hasn't been resolved would seem to be valuable commodity in a closed source system.
* firstly, not many people outside the security world knows that bugs are a valuable commodity for attackers. Same thing with internal orgs diagrams which are something you can sell to economic intelligence firms.
* secondly, top-tier orgs like FAANG usually peppers a lot of telemetry around known bugs in production code in order to see if someone isn't exploiting them (or simply to better track down the root cause).
I didn't think this was true until I read Permanent Record, where Snowden talks about how the agencies could get stuff done through bribes or planted employees. Since knowing that, I've become a lot less certain.
So, iiuc, this "zero-click" hack involved iMessage and payloads apparently injected via Apple's domains and the exfiltration of data through a tor-like network eventually reaching malicious servers.
Is anyone aware of any (FOSS) software (presumably intrusion detectors or indicators of compromise) for mobile phones that might help flag or even prevent such attacks?
TinyCheck [0] comes to mind, but it isn't truly mobile. TrackerControl [1] and Guardian Firewall [2] are perhaps the closest to something like this but concentrate on privacy more than on security.
Most likely the malware is using SSL so packet sniffing from an external device isn't gonna work. And it's apple, so at best you might find a firewall among their tightly locked down app store. Don't worry, apple knows what's good for you far better than you ever could
::eye roll::
> Is anyone aware of any (FOSS) software (presumably intrusion detectors or indicators of compromise) for mobile phones that might help flag or even prevent such attacks?
Assuming such applications existed, how would you install them on the "suspect" iPhone?
Assuming you were able to install such applications, you'd still not have any access to or control over the baseband (which I strongly suspect has plenty of issues of its own).
Assuming the malicious software avoided using Wi-Fi and used only the the cellular data connection for command and control, exfiltration, etc., it'd be damn near impossible to monitor the ("plain-text") data being sent and received (assuming such software would make use of private certificates -- or asymmetric encryption, in general -- to avoid being MITM'd itself, which seems like a reasonable assumption).
--
EDIT: This got me thinking, "what would be the most secure way to keep and use a mobile phone?" (assuming one could not simply avoid doing so).
My first thought is to use a mobile phone with the baseband radio(s) (verifiably) disabled/removed (if that is even possible?) or -- even better -- a Wi-Fi only device (similar in function as the old iPod Touch, for example) on which one used only SIP applications for calling (ideally via an "internal PBX" shared by all of one's correspondents) along with one's preferred E2E-encrypted messaging applications (e.g., Matrix, Signal, WhatsApp, etc.), all of which are used (importantly!) exclusively over an always-on VPN connection.
In instances where Wi-Fi was unavailable and/or one had no other options, a "mobile hotspot" or another ("real") mobile phone acting as one could potentially be used.
I'm interested in hearing thoughts on this idea (including any reasons why this is a bad idea that didn't occur to me during my two minute thought experiment), any other similar ideas that others have had, or any actual practices that are actually being used.
> regularhours.net and holdmydoor.com appeared on a Turkish CERT list in November 2019
> we observed MONARCHY and SNEAKY KESTREL continue to use these domain names in attacks through August 2020.
Interesting to see that the malicious hosts are not in any standard blacklist or safe browsing databases for browsers while Turkey's CERT has been sink-holing them via ISPs on a national level since at least 2019.
More generally, is there a known correlation between kernel panics and exploits, especially on macOS?
> Almisshal’s device shows what appears to be an unusual number of kernel panics (phone crashes) between January and July 2020. While some of the panics may be benign, they may also indicate earlier attempts to exploit vulnerabilities against his device.
Failed exploits, especially kernel-level ones, will result in higher system instability. I'm aware of at least one company (ZecOps) that specializes in detecting exploitations using crash analysis.
NSO Group will lose a lot of business when authoritarian countries wake up and realize they can simply force Apple to migrate user data into servers they own in exchange for market access.
People sometimes say that Linux based OSes largely lack malware because they're unpopular but I would argue that it's also because they're so different from eachother. Even if the user wants to install you're binary it's hard to make it work on both redhat and alpine, if they don't want it it's even harder. A contrast to this is the extreme monoculture in "mobile Oses" and iOS in particular where even the IM app is more or less dictated by a single small group of people.
Apple needs to do a serious architecture of how its own apps work. Its clearly unacceptable that their own apps are not sandboxed to the same level as everything else. If its not possible to implement all of imessage with the public APIs then they need to find a way to expose those private APIs publicly in a safe way.
imessage and facetime have been a constant source of exploits.
Journalists as messengers have always been targeted, and even killed, and it seems that Apple’s messaging system was the attack vector here.
While the article decries NSO being nefarious and selling to suspect “authoritarian” countries, high schools here in our democratic US have been buying hacking solutions to spy on students:
It's hard to weigh the aggregate harm of doing something slightly bad at massive scale against the aggregate harm of doing something very bad to a small group. Both are pretty bad, and we should be vocal about both.
Ethical AI are rules of engagement for honest brokers. Having honestly intentioned people not have hidden badness in their products is still important even if other dishonest people do bad things.
"Journalists"? More like Islamist propagandists on the payroll of the Qatari regime and the Iranian intelligence seeking to spread instability and fan discontent among Shia minorities in the Gulf Arab countries. Not that the Gulf monarchies are angels but it's funny seeing people in the Western countries naively cover up for Islamist radicals (like Khashoggi) who like to posture all liberal and democratic until their Muslim brotherhood friends win the elections and institute an Islamist theocracy. Truly, Lenin was right when he said (apocryphally) that "our enemies will sell us the rope which we will hang them with".
[+] [-] saagarjha|5 years ago|reply
It’s ironic that the exploit is able to plant arbitrary code on an up-to-date device and yet the owner of the phone can’t introspect their phone to see it themselves because they don’t know how to bypass the protections :/
[+] [-] bjourne|5 years ago|reply
[+] [-] mike_d|5 years ago|reply
Everyone seems to be focusing on the "always" in your statement, so i'll ignore that and give you a straight answer.
Strong investment in STEM education, after school programming and computer security programs, mandatory military service where they get a chance to evaluate everyone and funnel the smart technical folks in to Unit 8200, and heavy investment into security startups.
Israel also benefits from everyone else depending on their tools. Not only do they get to see the intelligence being collected by other countries and gain insights into their espionage operations, they also would be able to piggy back into any networks that were of particular interest.
[+] [-] ThePadawan|5 years ago|reply
...Is ethis taught in any CS curriculum?
It sure wasn't in mine (but to be fair, that was in Switzerland).
[+] [-] salmon|5 years ago|reply
----
[0] https://en.wikipedia.org/wiki/Unit_8200
[1] https://en.wikipedia.org/wiki/Unit_8200#Companies_founded_by...
[+] [-] secfirstmd|5 years ago|reply
[+] [-] keyme|5 years ago|reply
[+] [-] rapsey|5 years ago|reply
[+] [-] ipv6ipv4|5 years ago|reply
A few years ago bluecoat systems was caught providing deep packet inspection gear to the Syrian government. But that wasn’t Israel so no biggie and you either never heard about it or didn’t pay much attention because it wasn’t Israel.
American and European companies do this all the time but it’s not sensationalized to the same degree. That’s just business as usual.
[+] [-] bzb6|5 years ago|reply
[+] [-] AsyncAwait|5 years ago|reply
Personal opinion, but I think the mandatory army service in Israel seems to teach that everything is 'defense' and Israel is always 'defending itself', no matter what, this sort of thinking then bleeds into the private sector as these guys leave the military and use the skills they learned there to establish businesses.
Having interacted with the Palestinians during their army service as 'the enemy', the victims of NSO undoubtedly fall into the same category, thus not worth loosing their sleep over.
[+] [-] TruthHurts44|5 years ago|reply
[deleted]
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] cheaprentalyeti|5 years ago|reply
I had a former customer there _go out of business_ when the Barack Hussein Obama (mmm mmm mmm!) administration supportd an attempted putsch by (in my customer's words) "The Retarded F___ing Nazis who killed Sadat for making peace with the Jews."
Israel and the non-Brotherhood Arab countries face the burdensome situation that their most reliable "ally" is a country that depending on the politics is going to support the Brotherhood _and_ the large wannabe-hegemonic Russian satellite state trying to develop nuclear weapons. (Oh, and funded said state's reconquest of Syria in the process). Said schizophrenic state also has a massive surveillance system of its own.
My guess: they all don't look at this as a violation of civil rights or ethics, they look at this as a means for the little countries like them to get a leg up on some of the insane intelligence agencies of the large countries that are funding enemies both domestic and foreign.
[+] [-] ketamine__|5 years ago|reply
I hope more organizations do this.
https://arstechnica.com/information-technology/2019/10/faceb...
[+] [-] goatsi|5 years ago|reply
[+] [-] JudasGoat|5 years ago|reply
[+] [-] luch|5 years ago|reply
* firstly, not many people outside the security world knows that bugs are a valuable commodity for attackers. Same thing with internal orgs diagrams which are something you can sell to economic intelligence firms.
* secondly, top-tier orgs like FAANG usually peppers a lot of telemetry around known bugs in production code in order to see if someone isn't exploiting them (or simply to better track down the root cause).
That being said, attackers are reaaaaaally interested in getting access to internal bug trackers : https://grahamcluley.com/microsoft-bug-tracking-hack/
[+] [-] Mandatum|5 years ago|reply
[+] [-] sam1r|5 years ago|reply
Impossible to track in-person knowledge exchange, so code wouldn’t really be the culprit IMO.
[+] [-] jlgaddis|5 years ago|reply
If one were sufficiently motivated and planned ahead, you could almost consider it as a future "insurance policy" of sorts.
[+] [-] MeinBlutIstBlau|5 years ago|reply
[+] [-] chillacy|5 years ago|reply
[+] [-] marcan_42|5 years ago|reply
[+] [-] lawnchair_larry|5 years ago|reply
[+] [-] ignoramous|5 years ago|reply
Is anyone aware of any (FOSS) software (presumably intrusion detectors or indicators of compromise) for mobile phones that might help flag or even prevent such attacks?
TinyCheck [0] comes to mind, but it isn't truly mobile. TrackerControl [1] and Guardian Firewall [2] are perhaps the closest to something like this but concentrate on privacy more than on security.
[0] https://github.com/KasperskyLab/tinycheck
[1] https://trackercontrol.org/
[2] https://guardianapp.com/
[+] [-] darksaints|5 years ago|reply
[+] [-] jlgaddis|5 years ago|reply
Assuming such applications existed, how would you install them on the "suspect" iPhone?
Assuming you were able to install such applications, you'd still not have any access to or control over the baseband (which I strongly suspect has plenty of issues of its own).
Assuming the malicious software avoided using Wi-Fi and used only the the cellular data connection for command and control, exfiltration, etc., it'd be damn near impossible to monitor the ("plain-text") data being sent and received (assuming such software would make use of private certificates -- or asymmetric encryption, in general -- to avoid being MITM'd itself, which seems like a reasonable assumption).
--
EDIT: This got me thinking, "what would be the most secure way to keep and use a mobile phone?" (assuming one could not simply avoid doing so).
My first thought is to use a mobile phone with the baseband radio(s) (verifiably) disabled/removed (if that is even possible?) or -- even better -- a Wi-Fi only device (similar in function as the old iPod Touch, for example) on which one used only SIP applications for calling (ideally via an "internal PBX" shared by all of one's correspondents) along with one's preferred E2E-encrypted messaging applications (e.g., Matrix, Signal, WhatsApp, etc.), all of which are used (importantly!) exclusively over an always-on VPN connection.
In instances where Wi-Fi was unavailable and/or one had no other options, a "mobile hotspot" or another ("real") mobile phone acting as one could potentially be used.
I'm interested in hearing thoughts on this idea (including any reasons why this is a bad idea that didn't occur to me during my two minute thought experiment), any other similar ideas that others have had, or any actual practices that are actually being used.
[+] [-] harish5p|5 years ago|reply
https://blokada.org/
[+] [-] vasuki|5 years ago|reply
> we observed MONARCHY and SNEAKY KESTREL continue to use these domain names in attacks through August 2020.
Interesting to see that the malicious hosts are not in any standard blacklist or safe browsing databases for browsers while Turkey's CERT has been sink-holing them via ISPs on a national level since at least 2019.
[+] [-] aarchi|5 years ago|reply
> Almisshal’s device shows what appears to be an unusual number of kernel panics (phone crashes) between January and July 2020. While some of the panics may be benign, they may also indicate earlier attempts to exploit vulnerabilities against his device.
[+] [-] saagarjha|5 years ago|reply
[+] [-] Plutoberth|5 years ago|reply
[+] [-] alternatetwo|5 years ago|reply
[+] [-] AnHonestComment|5 years ago|reply
[deleted]
[+] [-] SheinhardtWigCo|5 years ago|reply
[+] [-] swiley|5 years ago|reply
[+] [-] dannyw|5 years ago|reply
I seem to hear a lot about iOS 0days and not so much about pixel 0days.
[+] [-] pcbro141|5 years ago|reply
[+] [-] canofbars|5 years ago|reply
imessage and facetime have been a constant source of exploits.
[+] [-] Stierlitz|5 years ago|reply
Why aren't there a hardware switch on the phones that renders the OS read-only during normal use?
[+] [-] 1cvmask|5 years ago|reply
While the article decries NSO being nefarious and selling to suspect “authoritarian” countries, high schools here in our democratic US have been buying hacking solutions to spy on students:
https://gizmodo.com/u-s-schools-are-buying-phone-hacking-tec...
[+] [-] mandeepj|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] phnofive|5 years ago|reply
[+] [-] worker767424|5 years ago|reply
[+] [-] compycom|5 years ago|reply
[+] [-] oh_sigh|5 years ago|reply
[+] [-] PostThisTooFast|5 years ago|reply
[deleted]
[+] [-] toaway|5 years ago|reply