NSO group iPhone zero-click, zero-day exploit captured in the wild

Wow, so much discussion of Apple and their software, and so little of NSO group and why they&#x27;re even a thing.<p>I just want to add this: these people operate pretty much in the open. They&#x27;re not ashamed of it either, or else they wouldn&#x27;t put it on their CV:<p><a href="https:&#x2F;&#x2F;www.linkedin.com&#x2F;company&#x2F;nso-group&#x2F;people&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.linkedin.com&#x2F;company&#x2F;nso-group&#x2F;people&#x2F;</a><p>That right there tells me that we as &quot;the tech community&quot; are <i>way</i> too okay with this sort of application of the tech. The tech we&#x27;re all so convinced will &quot;make the world a better place.&quot; &#x2F;s

Its super interesting to me how much its emphasized that you shouldn&#x27;t use Lockdown Mode unless you are a journalist or otherwise in direct palpable danger. They really do try to talk you out of it. Its curious, because there&#x27;s very little difference in functionality (as experienced by the user) other than disabling a lot of Apple nonsense from running in the background expanding your attack surface.<p>And everybody parrots the nonsense caveat that everyone shouldn&#x27;t use it, only those special enough should like it was a zero-sum game or scarce resource. Everyone should use it because it disables a lot of nonsense that doesn&#x27;t serve you and probably even saves battery power. Also, the more people use it, the less it can be used to fingerprint specific users.

How many exploits has iMessage had now?<p>Isn&#x27;t it time we made first messages from all new contacts plain text only, and all other messages some very restricted subset rather than some crazy extensible system that isn&#x27;t so different from ActiveX?<p>And on top of that, maybe the whole app should run in a sandbox.<p>And on top of that, perhaps it should all be a webview to give one more layer of protection.

Again a buffer overflow in image decoding, that sounds similar to the one from 2021 [1]. That one was wild, building a CPU out of primitives offered by an arcane image compression format embedded in pdf, to be able to do enough arithmetic to further escalate to arbitrary code execution!<p>[1]: <a href="https:&#x2F;&#x2F;googleprojectzero.blogspot.com&#x2F;2021&#x2F;12&#x2F;a-deep-dive-into-nso-zero-click.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;googleprojectzero.blogspot.com&#x2F;2021&#x2F;12&#x2F;a-deep-dive-i...</a>

These fixes came out today, apparently timed with the announcement, make sure updates are applied for you and yours.<p><a href="https:&#x2F;&#x2F;support.apple.com&#x2F;en-us&#x2F;HT201222" rel="nofollow noreferrer">https:&#x2F;&#x2F;support.apple.com&#x2F;en-us&#x2F;HT201222</a>

Clearly putting the NSO group on the Commerce Department blacklist didn&#x27;t go far enough. These scumbags belong in the Hague(metaphorically at least).

If you are curious about NSO Group, Pegasus, or Citizen Lab - Darknet Diaries podcast (Episode 100) does a good job diving into the history.

There needs to be a more fine tuned lockdown mode, for example to disable automations and risks in imessage and safari but leave device accessories working. Losing bluetooth accessories to protect yourself from zero click imessage exploits is just bad. imessage is the major wide open attack surface.

I wonder if the lockdown mode would have prevented this attack?<p>Has an iPhone in the lockdown mode been hacked so far, using a zero day vulnerability (not tricking the user to install a malicious program)?

Related ongoing thread:<p><i>iOS 16.6.1 fixes two vulnerabilities known to be actively exploited in the wild</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=37423506">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=37423506</a> - Sept 2023 (7 comments)

I don&#x27;t need to be able to accept iMessage messages from random numbers. I&#x27;d be happy to enable &quot;Prevent messages from unknown numbers&quot; for example. Is this possible?

Here are several comments regarding rewriting everything in safer languages like Rust, among others. However, before such a transition can potentially take place, I believe it&#x27;s more realistic to achieve another important goal: enabling robust logging capabilities, akin to the Endpoint Security Framework on MacOS or System Events on Windows, for iOS. With the implementation of such tooling, enterprises could potentially integrate mobile endpoints into their SIEM systems, making it easier to detect attacks of this nature.<p>I&#x27;ve personally utilized the mvt-ios tool to investigate iPhone backups. Within these backups, there is a SQLite file that mvt-ios scans for potentially malicious process names. (I&#x27;ve examined all publicly available STIX2 IOCs and having tooling that simply reports the names of processes from mobile phone to a central SIEM would be adequate for identifying these attacks.) Unfortunately, this method cannot be used in real-time across all devices. To employ it, one must first create a complete backup of the phone and then scrutinize that backup. If we had a tool similar to the Endpoint Security Framework available for mobile devices, we could activate enterprise-level security monitoring systems and potentially establish secure communications in the current era, rather than waiting for everything to be rewritten in Rust (a bit of irony).

I appreciate that a solution is for people to update immediately. It really makes me wonder if my Android phones over the years have had 1-days exploited by the sheer incompetence of the ecosystem in updating phones.<p>Not much confidence when you get an update with security patches from 2-3 months ago.

Naive question, does apple have any way of detecting and informing users who are current victims of these types of exploits when security fixes are issued?

Would be nice if either CitizenLab or Apple had published some IOCs...

An exploit like that is apparently worth $2 000 000 on Zerodium. <a href="https:&#x2F;&#x2F;zerodium.com&#x2F;program.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;zerodium.com&#x2F;program.html</a><p>Kind of insane, the only higher you can get is finding the same on Android

This kind of thing always confuses me. How can anyone assume any machine is NOT compromised already… Like… ever?<p>You really have no way of knowing that a box is not owned as soon as it has connectivity (and possibly even before that).<p>I feel like many people have the idea that security is “these machines are good until we detect some intrusion”.<p>But it seems like the more sane default is “every machine is compromised and I should never trust anything ever” if you take security seriously.<p>Maybe the latter is gaining popularity, but I still feel like the former ideology is pretty prominent.

Again iMessage? Would be nice if you could expel insecure components like that from your walled apple paradise

&gt; The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.<p>Man, iMessage is a security disaster for Apple. No matter how much work they do in other areas, it seems like they&#x27;ll paying for a while for their decisions around the iMessage architecture.

In addition to lockdown mode, pair with a vpn and security researcher Jeff Johnsons &quot;stop the madness&quot;, and &quot;stop the script&quot;. Both are paid safari plugins for ios. Stop the script is the best way to stop inline javascript on ios. Disabling JS on iphone can&#x27;t do that.

It’s interesting that latest Safari TP (r178) somehow crashes on macOS Ventura, with or without the patch, when reading HN comments on this specific article.<p>Is there a honeypot in a comment on this page? &#x2F;paranoid

I&#x27;m confused why they waited to patch this vulnerability until it was found in the wild. Or am I misunderstanding? Is this not the same NSO zero click exploit from like a year ago?

We&#x27;re all very lucky that CitizenLab exists as they are often the first discovery point of numerous similar exploits. They proactively scan the phones of internationally sensitive people and publish their findings. I&#x27;m not aware of any other public service that has had this much success exposing mobile device attacks. Attacks which have completely and utterly compromised the entire device that someone keeps with them all day every day.<p>I tip my hat to CitizenLab and the good work they do.

Question.<p>Back in the dark ages, a &quot;zero day exploit&quot; was a piece of malware which would lay in wait, doing nothing, counting down the days, until it hit day zero, and then it would trigger and do naughty things. Some folks also referred to this as a time bomb, but that was a less `|33+ term for it. We used to see a lot of these available on sites such as asta... never mind.<p>Fast forward to the era of &quot;cyber&quot; being hugely popular, and the massive flood of people doing short Kali or &quot;Ethical Hacking&quot; courses and getting into IT security jobs, and I see various formal IT security publications describing a zero day exploit as &quot;ANYTHING which is known and not yet patched&quot;. To me, there is absolutely nothing about that description which relates to the &quot;zero&quot; or the &quot;day&quot; or the &quot;zero day&quot;. I suspect this new terminology is the result of that influx of people with no background in either computer science or hacking, latching on to a cool sounding term and misunderstanding it completely.<p>What is your take on this? Do you go with the ye olde terminology, or the currently accepted terminology in fancy publications? Do you believe the meaning changed, and if so, when and how and why?

Good to see NSO loosing a valuable exploit chain. If this becomes common enough they’ll think twice about (enabling) targeting legitimate civil society organizations, for purely economic reasons: the risk of detection and reporting of vulnerabilities is much higher than when targeting terrorists and criminals.

I wonder if Apple has a mechanism for notifying people who were affected by the exploit after they update.

Does anyone know to what extent this compromises the device? I might have missed it, but didn’t see it explained in the article. Does the attacker get full access to the device, or do they only compromise a subset of the devices functionality?

&gt; The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) <i>without any interaction from the victim.</i><p>I’m, in no way, a security savvy but the above achievement must be a lot of work by the NSO group!

I worked for NSO and later at a very similar company in Barcelona. AMA

I just received a random image of a champagne bottle via iMessage from an unknown number. Any way to tell if this is the attempted exploit? I had patched my phone prior to receiving the image.

These dudes are insane. I wonder how much exploits like this are worth…

You can turn on lockdown mode on your iPhone and then specifically exclude certain apps and websites from being impacted by it -- this seems like a reasonable middle ground for most people.

&gt; &quot;Apple is aware of a report that this issue may have been actively exploited.&quot;<p>Wasn&#x27;t this captured in the wild?? Then why the &quot;may&quot;?

I always appreciate how NSO do incredible black hat security. Some of their exploits are true art. Props to their tech skills and creativity.

This is why you don&#x27;t use your iPhone&#x27;s keychain or iCloud keychain. These exploits give access to everything.

dupe of: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=37423506">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=37423506</a>

Why there are still people who do not understand that when Big Tech talks &quot;security&quot;, it is theirs against you, not yours?

One can&#x27;t help wondering if this is kind of announcement is partly meant to cast lockdown mode in a positive light

How did the &quot;Citizen Lab&quot; connect this to the &quot;NSO Group?&quot; Is it just pure breathless speculation?

Wow this sounds like stagefright was way back when.<p>So for those keeping score, is Android now ahead of iOS in this aspect of security?

Patches only out for Ventura - any word on whether other versions like Monterey, Sonoma or iOS 17 are vulnerable?

I don&#x27;t understand Apple here.<p>Just put an army of people on fuzzing the shit out of iMessage and all its possible file attachments.<p>You tried and failed? Fire the bozo who lead the effort. Try again.<p>You did not even try? Fire the c-level bozo who failed to see it coming and failed to approve such an effort.<p>But cynically, more and more it feels like some bugs have to stay unfixed, for NSA use, just that NSO is also getting on the game.

I wonder why Apple does not include a hypervisor in iOS, and &quot;risky&quot; processes such as iMessage, Safari (maybe a Secure Safari version) could then be executed in a separate virtual machine. The hardware (CPU + RAM) in the iPhones these days should be able to sustain it. Or would there be serious drawbacks to this ?

My IphoneSE feels like the old Battlestar Galactica around these new phones

the nso go their hands on the vault 7 tools <a href="https:&#x2F;&#x2F;wikileaks.org&#x2F;ciav7p1&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;wikileaks.org&#x2F;ciav7p1&#x2F;</a>

I find it interesting that most comments here are blaming the victim (Apple’s iMessage and by transitivity its users) rather than the aggressor (NSO and its users).<p>How come NSO isn’t yet designated as a (cyber-)terrorist group worth hunting down and extinguishing?

Does someone know why this isn’t a Rapid Security Response?

for sensitive work, got to air gap that device(s). for any communication, use burners (pre-paid phones) or meet IRL

how compromised are you if you are affected? can you read token&#x2F;cookie data from other apps (like banking)?

Was just wondering why my Mac wanted to update (since it felt I updated it very recently).

I wonder if lockdown mode can block this exploit

Can&#x27;t believe the whole western world governments and companies can&#x27;t say or do anything to stop those murderous psychopaths.

Here we go again... NSO Group has a long history of 0-click, 0-days against iMessage, and just a few months ago Kaspersky caught a different zero day iMessage exploit targeting their staff.<p>If Apple repeatedly fails at securing their devices from an attack vector that has been demonstrated over, and over, and over... no wonder China is banning government officials from using their devices.

For anyone interested in learning more about the NSO group, I&#x27;d recommend this podcast episode: <a href="https:&#x2F;&#x2F;darknetdiaries.com&#x2F;episode&#x2F;100&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;darknetdiaries.com&#x2F;episode&#x2F;100&#x2F;</a>

So at what point does the world bring sanctions against Israel for allowing organizations like this to exist there? Everyone knows NSO is just a dubiously legal version of common APT groups, so how do they still exist after these years?

The only thing preventing this would be grsec for iOS.

Another day, another reason to be glad I don&#x27;t have a single fucking Apple product in my house.

I would expect them to get to iCloud via this attach chain even with advanced data protection on. Which means if you are targeted, they not only get data from your iPhone but also all the data you backed up to iCloud from your other apple devices. I suspect they would be able to compromise apps like 1Password through this. Which means all services whose password and 2FA is stored together in 1Password is compromised.<p>It is good to know lockdown mode stopped this attach chain.<p>Given this has happened so many times, new security posture for a normal&#x2F;regular security conscious person should be:<p>1. Disable iMessage.<p>2. Enable lockdown mode.<p>3. Disable iCloud. (If you choose to keep iCloud enabled, definitely enable Advanced Data Protection and disable iCloud Web, disable passcodes and keychain on iCloud. Disable iCloud mail – it uses 3rdparty proofpoint for scanning – more surface area for compromise).<p>4. Don&#x27;t store password and 2FA together in the same system like 1password. Always use FIDO2 physical key based 2FA, if available.