NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender

1055 点作者 dropalltables将近 9 年前

33 条评论

Amazing work by Lookout and Citizen Lab.Until this point I was not aware that Lookout provided any value-add for mobile devices. I was under the impression it was the McAfee of mobile.It sounds mean but this is the first reference to actual vulnerability discovery done by themselves on their blog, which usually reports on security updates that Google's Android security team discovered. Previous entries include such gems as "Now available: The Practical Guide to Enterprise Mobile Security" and "Insights from Gartner: When and How to Go Beyond EMM to Ensure Secure Enterprise Mobility."I can't wait to see more great work. Lookout is now on my radar.

评论 #12361214 未加载

评论 #12361069 未加载

评论 #12361251 未加载

评论 #12362666 未加载

评论 #12362644 未加载

toufka将近 9 年前

There is a frustration, as a user, that as the value of the iOS exploits increase, they become more and more 'underground'. The time between OS release and public jailbreak is continually growing - and it doesn't seem to only be due to the hardening of the OS. People are selling their exploits rather than releasing them publicly. And the further underground they go, the more likely they will be utilized for nefarious purposes rather than allowing me to edit my own HOSTS file. The most recent iOS jailbreak (to be able to gain root access to my iPhone) lasted less than a month before Apple stopped signing the old OS. Yet its clear this (new) quick action on Apple's part does not (yet?) stop persistent state-sponsored adversaries.It is more and more clear that to accept Apple's security (which seems to be getting better, but obviously still insufficient) I must also accept Apple's commercial limitations to the use of a device I own. And I suppose that the dividing line between the ability to exploit a vulnerability and to 'have control' is a sliding scale for every user: one man's 'obvious' kernel exploit is another man's 'obvious' phishing scam.It is not a new tension, but it does seem the stakes on both sides seem to be getting higher and higher - total submission to an onerous EULA vs total exploitable knowledge about me and my device. Both sides seem to have forced each other to introduce the concept of 'total' to those stakes, and that is frustrating. More-so when it's not yet clear which threat is greater.

评论 #12363552 未加载

评论 #12362878 未加载

评论 #12362957 未加载

评论 #12361340 未加载

评论 #12363492 未加载

评论 #12363276 未加载

guelo将近 9 年前

NSO sells tools that when used violate the CFAA act. It is an Israeli company but a majority share was bought by a San Francisco based VC [0]. It doesn't seem like it should be legally allowed to exist as an American owned company. Maybe Ahmed Mansoor could sue the VC in American courts.[0] <a href="http://jewishbusinessnews.com/2014/03/19/francisco-partners-acuires-israeli-intelligence-cyber-tracking-developer-start-up-nso-for-120-million/" rel="nofollow">http://jewishbusinessnews.com/2014/03/19/francisco-partners-...</a>

评论 #12362807 未加载

评论 #12361456 未加载

0x0将近 9 年前

An untethered stealth jailbreak that installs without user interaction from a webview, that's almost as bad as it gets. And for iOS 7.0.0 - 9.3.4 inclusive. And with exfiltration of audio, video, whatsapp, viber, etc etc. So thorough and so bad :-/

评论 #12361073 未加载

评论 #12360810 未加载

评论 #12361426 未加载

评论 #12361294 未加载

评论 #12362710 未加载

评论 #12360927 未加载

micaksica将近 9 年前

The UAE really hates on activists, and appears to be hiring a bunch of people specifically to suppress activists/dissidents within the country. [1] Unfortunately, due to the amount of wealth the country has, it won't stop almost anybody from dealing with them unless Western sanctions are placed on the country, which are unlikely given the current geopolitical situation.<a href="https://www.evilsocket.net/2016/07/27/How-The-United-Arab-Emirates-Intelligence-Tried-to-Hire-me-to-Spy-on-its-People/" rel="nofollow">https://www.evilsocket.net/2016/07/27/How-The-United-Arab-Em...</a>

评论 #12361085 未加载

评论 #12361454 未加载

评论 #12361210 未加载

评论 #12362338 未加载

hackuser将近 9 年前

Should exploits like this be treated as munitions, with sale to foreign governments restricted? Or any sale at all restricted? Some thoughts:* The only uses for the exploits are either illegal or by government security organizations* I don't think you can just make an explosive and sell it to a foreign government; I think there are strict export controls (though I know very few details, I only read about companies applying, getting approval, etc.).* In the 1990s, strong encryption was called a 'munition' and export was restricted. That turned out to be impractical (it was available in many countries and the Internet has no borders), morally questionable (restricting private citizen's privacy), and it fell apart.While I believe in liberty and freedom-to-tinker, as I said, this stuff has no legitimate use.

评论 #12361491 未加载

评论 #12361386 未加载

评论 #12361552 未加载

评论 #12361409 未加载

评论 #12361578 未加载

bkmintie将近 9 年前

Vice has a nice writeup on the exploits as well: <a href="https://motherboard.vice.com/read/government-hackers-iphone-hacking-jailbreak-nso-group" rel="nofollow">https://motherboard.vice.com/read/government-hackers-iphone-...</a>

评论 #12360862 未加载

Miner49er将近 9 年前

This vulnerability sounds like this:<a href="https://www.zerodium.com/ios9.html" rel="nofollow">https://www.zerodium.com/ios9.html</a>It was claimed November of last year. I wouldn't be surprised if this "Trident" was sold by Zerodium. Glad it's patched.Edit:I just saw the Citizen Lab article on this:<a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" rel="nofollow">https://citizenlab.org/2016/08/million-dollar-dissident-ipho...</a>They mention the Zerodium bounty as well.

评论 #12360895 未加载

epistasis将近 9 年前

Not having heard about NSO Group before, they've been claiming to have this ability since 2014:<a href="http://blogs.wsj.com/digits/2014/08/01/can-this-israeli-startup-hack-your-phone/" rel="nofollow">http://blogs.wsj.com/digits/2014/08/01/can-this-israeli-star...</a>What other 0-days do they have in their pockets?

jtchang将近 9 年前

The article mentions how this may have been use all the way back in iOS 7 which is crazy.If you are being targeted for surveillance smartphones are a very bad idea depending on your adversary. A cheap phone that is refreshed regularly will probably be your best bet.

评论 #12361053 未加载

评论 #12361235 未加载

评论 #12360991 未加载

gergles将近 9 年前

Here are the full technical details: <a href="https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" rel="nofollow">https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegas...</a>

dropalltables将近 9 年前

Make sure to update to 9.3.5 on all of your iOS devices ASAP!

评论 #12361255 未加载

评论 #12361209 未加载

timeal将近 9 年前

You can be sure that this vulnerability was probably discovered by some researcher, then sold to grey markets like <a href="https://www.zerodium.com" rel="nofollow">https://www.zerodium.com</a> or <a href="https://www.exodusintel.com/" rel="nofollow">https://www.exodusintel.com/</a> (they pay up to $1 million for a highprofile iOS exploit), who then resold it to some government who is now trying to exploit this dude's phone...

driverdan将近 9 年前

To people who work for companies that sell / invest in products that are used in unethical ways (Francisco Partners, NSO, Cisco, etc), how do you justify it to yourself?

评论 #12364581 未加载

scosman将近 9 年前

Does anyone know if the iOS 10 developer beta 7 (public beta 6) got this patch, or are we vulnerable?

评论 #12362300 未加载

评论 #12361039 未加载

评论 #12362305 未加载

firloop将近 9 年前

Apple made its bug bounty program public a few weeks ago and the past few iOS updates have all been patching security vulns. It could be a coincidence, but from an outsider's point of view, it looks like the program is working.

评论 #12361684 未加载

artursapek将近 9 年前

Will 9.3.5 disable/remove the spyware on infected phones? Or does it just prevent one from becoming infected?

评论 #12361319 未加载

评论 #12361321 未加载

walrus01将近 9 年前

This is a REALLY, REALLY good reason why "activists" of any variety should be trained in how to acquire an old Thinkpad and install Debian on it (plus a reasonably xorg/XFCE4 desktop environment). If you're dealing with authoritarian regimes you can do a lot to reduce your attack surface. However at the end it all comes down to rubber hose cryptography. If your government, for example Bahrain decides to detain and torture you, you're pretty much fucked.

评论 #12362173 未加载

评论 #12361694 未加载

SanPilot将近 9 年前

I'm a beginner when it comes to software development (mostly web development), but it seems to me that the majority of complex exploits like this involve some type of memory overflow and subsequent code execution.Shouldn't there be methods for detecting these kinds of things in source code or more priority given to preventing it in the C/low-level community?

评论 #12363519 未加载

Osmium将近 9 年前

Aside, but does anybody else find the switch from right-to-left to left-to-right really jarring in this screenshot?<a href="https://citizenlab.org/wp-content/uploads/2016/08/image13-768x706.jpg" rel="nofollow">https://citizenlab.org/wp-content/uploads/2016/08/image13-76...</a>It has the effect of introducing a line-break into the middle of a line, rather than at either end. I've never encountered this before and it took my brain a few seconds to catch on.I'd be really curious how native bilingual readers of both a right-to-left and left-to-right language would read that. Does it look natural? Where do your eyes go first?

评论 #12363441 未加载

e28eta将近 9 年前

I thought it was interesting that they're using Cydia Substrate to hook into specific third-party apps for monitoring.I wonder if we'll ever see privacy conscious apps using some sort of obfuscation. So that every time you update your app, the attacker will have to reverse-engineer the symbol names again.It seems like a compile or link time tool could find method call & selector references. As long as your app isn't calling methods using strings, or doing something else tricky, I think it could work.Or you could just write the app in swift. It's the Objective-C runtime that makes it so easy to intercept method calls.

评论 #12362367 未加载

评论 #12362164 未加载

评论 #12362064 未加载

eggy将近 9 年前

Unless you are a high-value target, Apple's security seems fairly sufficient for normal use (I have Android ;)). Companies like NSO Group that state that they play both sides without any moral compass seem like a great target for Anonymous or others. Imagine the client list, and banking information as a trail to blaze!

评论 #12364626 未加载

Jerry2将近 9 年前

How does one monitor the infection of an iOS device and how do you capture and store all the stages of an infection?I've never done any reverse engineering so I'm not sure how you'd go about recording what an infection like this does to your device...

matt_wulfeck将近 9 年前

He wasn't hacked, he was being "lawfully intercepted"!Just kidding. The difference here is that a government doesn't want to do such as provide reasonable suspicion or go publicly in front of a judge.

maglavaitss将近 9 年前

So, basically three things to notice:1. never click on links in e-mails. 2. if you're targeted by a nation state, you're screwed. 3. everybody is vulnerable to rubber-hose cryptography.

Tepix将近 9 年前

It's curious that Signal was missing in their list of apps that can be intercepted. Are the targets not using it? Or was it just not mentioned?

metafunctor将近 9 年前

Is there any way to check if an iOS device has Pegasus installed, without installing and registering for the Lookout app?

评论 #12361660 未加载

评论 #12363538 未加载

abecedarius将近 9 年前

I have an iPad 1 which long ago was left behind by upgrades. It'd be nice to know when the vulnerabilities were introduced too. Should I stop doing anything networked with it?

评论 #12362406 未加载

dboreham将近 9 年前

"we did not have an iPhone 6 available for testing"Big budget operation!

评论 #12363597 未加载

chenster将近 9 年前

I think NSA is trying to acquire them.

okket将近 9 年前

<a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" rel="nofollow">https://citizenlab.org/2016/08/million-dollar-dissident-ipho...</a><pre><code> > Alarmingly, some of the names suggested a willingness on > the part of the operators to impersonate governments and > international organizations. For example, we found two > domain names that appear intended to masquerade as an > official site of the International Committee of the Red > Cross (ICRC): icrcworld.com and redcrossworld.com.</code></pre>

评论 #12360974 未加载

评论 #12362140 未加载

评论 #12362425 未加载

评论 #12362182 未加载

评论 #12362630 未加载

landr0id将近 9 年前

This is off-topic but at first I thought I was on a Spotify blog page. Lookout has very similar branding.

评论 #12362127 未加载

themihai将近 9 年前

<< Instead of clicking, Mansoor sent the messages to Citizen Lab researchers.The story is great but I really doubt this. I'm wondering what made him suspect the link? Does he send all the links he receives to Citizen Lab?

评论 #12363039 未加载

评论 #12362732 未加载