Amazing work by Lookout and Citizen Lab.<p>Until this point I was not aware that Lookout provided any value-add for mobile devices. I was under the impression it was the McAfee of mobile.<p>It sounds mean but this is the first reference to actual vulnerability discovery done by themselves on their blog, which usually reports on security updates that Google's Android security team discovered. Previous entries include such gems as "Now available: The Practical Guide to Enterprise Mobile Security" and "Insights from Gartner: When and How to Go Beyond EMM to Ensure Secure Enterprise Mobility."<p>I can't wait to see more great work. Lookout is now on my radar.
There is a frustration, as a user, that as the value of the iOS exploits increase, they become more and more 'underground'. The time between OS release and public jailbreak is continually growing - and it doesn't seem to only be due to the hardening of the OS. People are selling their exploits rather than releasing them publicly. And the further underground they go, the more likely they will be utilized for nefarious purposes rather than allowing me to edit my own HOSTS file. The most recent iOS jailbreak (to be able to gain root access to <i>my</i> iPhone) lasted less than a month before Apple stopped signing the old OS. Yet its clear this (new) quick action on Apple's part does not (yet?) stop persistent state-sponsored adversaries.<p>It is more and more clear that to accept Apple's security (which seems to be getting better, but obviously still insufficient) I must also accept Apple's commercial limitations to the use of a device I own. And I suppose that the dividing line between the ability to exploit a vulnerability and to 'have control' is a sliding scale for every user: one man's 'obvious' kernel exploit is another man's 'obvious' phishing scam.<p>It is not a new tension, but it does seem the stakes on both sides seem to be getting higher and higher - total submission to an onerous EULA vs total exploitable knowledge about me and my device. Both sides seem to have forced each other to introduce the concept of 'total' to those stakes, and that is frustrating. More-so when it's not yet clear which threat is greater.
NSO sells tools that when used violate the CFAA act. It is an Israeli company but a majority share was bought by a San Francisco based VC [0]. It doesn't seem like it should be legally allowed to exist as an American owned company. Maybe Ahmed Mansoor could sue the VC in American courts.<p>[0] <a href="http://jewishbusinessnews.com/2014/03/19/francisco-partners-acuires-israeli-intelligence-cyber-tracking-developer-start-up-nso-for-120-million/" rel="nofollow">http://jewishbusinessnews.com/2014/03/19/francisco-partners-...</a>
An untethered stealth jailbreak that installs without user interaction from a webview, that's almost as bad as it gets. And for iOS 7.0.0 - 9.3.4 inclusive. And with exfiltration of audio, video, whatsapp, viber, etc etc. So thorough and so bad :-/
The UAE really hates on activists, and appears to be hiring a bunch of people specifically to suppress activists/dissidents within the country. [1] Unfortunately, due to the amount of wealth the country has, it won't stop almost anybody from dealing with them unless Western sanctions are placed on the country, which are unlikely given the current geopolitical situation.<p><a href="https://www.evilsocket.net/2016/07/27/How-The-United-Arab-Emirates-Intelligence-Tried-to-Hire-me-to-Spy-on-its-People/" rel="nofollow">https://www.evilsocket.net/2016/07/27/How-The-United-Arab-Em...</a>
Should exploits like this be treated as munitions, with sale to foreign governments restricted? Or any sale at all restricted? Some thoughts:<p>* The only uses for the exploits are either illegal or by government security organizations<p>* I don't think you can just make an explosive and sell it to a foreign government; I think there are strict export controls (though I know very few details, I only read about companies applying, getting approval, etc.).<p>* In the 1990s, strong encryption was called a 'munition' and export was restricted. That turned out to be impractical (it was available in many countries and the Internet has no borders), morally questionable (restricting private citizen's privacy), and it fell apart.<p>While I believe in liberty and freedom-to-tinker, as I said, this stuff has no legitimate use.
Vice has a nice writeup on the exploits as well:
<a href="https://motherboard.vice.com/read/government-hackers-iphone-hacking-jailbreak-nso-group" rel="nofollow">https://motherboard.vice.com/read/government-hackers-iphone-...</a>
This vulnerability sounds like this:<p><a href="https://www.zerodium.com/ios9.html" rel="nofollow">https://www.zerodium.com/ios9.html</a><p>It was claimed November of last year. I wouldn't be surprised if this "Trident" was sold by Zerodium. Glad it's patched.<p>Edit:<p>I just saw the Citizen Lab article on this:<p><a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" rel="nofollow">https://citizenlab.org/2016/08/million-dollar-dissident-ipho...</a><p>They mention the Zerodium bounty as well.
Not having heard about NSO Group before, they've been claiming to have this ability since 2014:<p><a href="http://blogs.wsj.com/digits/2014/08/01/can-this-israeli-startup-hack-your-phone/" rel="nofollow">http://blogs.wsj.com/digits/2014/08/01/can-this-israeli-star...</a><p>What other 0-days do they have in their pockets?
The article mentions how this may have been use all the way back in iOS 7 which is crazy.<p>If you are being targeted for surveillance smartphones are a very bad idea depending on your adversary. A cheap phone that is refreshed regularly will probably be your best bet.
Here are the full technical details: <a href="https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" rel="nofollow">https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegas...</a>
You can be sure that this vulnerability was probably discovered by some researcher, then sold to grey markets like <a href="https://www.zerodium.com" rel="nofollow">https://www.zerodium.com</a> or <a href="https://www.exodusintel.com/" rel="nofollow">https://www.exodusintel.com/</a> (they pay up to $1 million for a highprofile iOS exploit), who then resold it to some government who is now trying to exploit this dude's phone...
To people who work for companies that sell / invest in products that are used in unethical ways (Francisco Partners, NSO, Cisco, etc), how do you justify it to yourself?
Apple made its bug bounty program public a few weeks ago and the past few iOS updates have all been patching security vulns. It could be a coincidence, but from an outsider's point of view, it looks like the program is working.
This is a REALLY, REALLY good reason why "activists" of any variety should be trained in how to acquire an old Thinkpad and install Debian on it (plus a reasonably xorg/XFCE4 desktop environment). If you're dealing with authoritarian regimes you can do a lot to reduce your attack surface. However at the end it all comes down to rubber hose cryptography. If your government, for example Bahrain decides to detain and torture you, you're pretty much fucked.
I'm a beginner when it comes to software development (mostly web development), but it seems to me that the majority of complex exploits like this involve some type of memory overflow and subsequent code execution.<p>Shouldn't there be methods for detecting these kinds of things in source code or more priority given to preventing it in the C/low-level community?
Aside, but does anybody else find the switch from right-to-left to left-to-right really jarring in this screenshot?<p><a href="https://citizenlab.org/wp-content/uploads/2016/08/image13-768x706.jpg" rel="nofollow">https://citizenlab.org/wp-content/uploads/2016/08/image13-76...</a><p>It has the effect of introducing a line-break into the middle of a line, rather than at either end. I've never encountered this before and it took my brain a few seconds to catch on.<p>I'd be really curious how native bilingual readers of both a right-to-left and left-to-right language would read that. Does it look natural? Where do your eyes go first?
I thought it was interesting that they're using Cydia Substrate to hook into specific third-party apps for monitoring.<p>I wonder if we'll ever see privacy conscious apps using some sort of obfuscation. So that every time you update your app, the attacker will have to reverse-engineer the symbol names again.<p>It seems like a compile or link time tool could find method call & selector references. As long as your app isn't calling methods using strings, or doing something else tricky, I think it could work.<p>Or you could just write the app in swift. It's the Objective-C runtime that makes it so easy to intercept method calls.
Unless you are a high-value target, Apple's security seems fairly sufficient for normal use (I have Android ;)).
Companies like NSO Group that state that they play both sides without any moral compass seem like a great target for Anonymous or others. Imagine the client list, and banking information as a trail to blaze!
How does one monitor the infection of an iOS device and how do you capture and store all the stages of an infection?<p>I've never done any reverse engineering so I'm not sure how you'd go about recording what an infection like this does to your device...
He wasn't hacked, he was being "lawfully intercepted"!<p>Just kidding. The difference here is that a government doesn't want to do such as provide reasonable suspicion or go publicly in front of a judge.
So, basically three things to notice:<p>1. never click on links in e-mails.
2. if you're targeted by a nation state, you're screwed.
3. everybody is vulnerable to rubber-hose cryptography.
I have an iPad 1 which long ago was left behind by upgrades. It'd be nice to know when the vulnerabilities were <i>introduced</i> too. Should I stop doing anything networked with it?
<a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" rel="nofollow">https://citizenlab.org/2016/08/million-dollar-dissident-ipho...</a><p><pre><code> > Alarmingly, some of the names suggested a willingness on
> the part of the operators to impersonate governments and
> international organizations. For example, we found two
> domain names that appear intended to masquerade as an
> official site of the International Committee of the Red
> Cross (ICRC): icrcworld.com and redcrossworld.com.</code></pre>
<< Instead of clicking, Mansoor sent the messages to Citizen Lab researchers.<p>The story is great but I really doubt this. I'm wondering what made him suspect the link? Does he send all the links he receives to Citizen Lab?