22 December 2020

iPhone Security Problems in the Wild

State sponsored actors targeting journalists. Color me shocked. The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage 'Zero-Click' Exploit - The Citizen Lab

First we cover the technology and the exploits.

NSO Group’s Pegasus spyware is a mobile phone surveillance solution that enables customers to remotely exploit and monitor devices. The company is a prolific seller of surveillance technology to governments around the world, and its products have been regularly linked to surveillance abuses. [SNIP]

NSO Group is shifting towards zero-click exploits and network-based attacks that allow its government clients to break into phones without any interaction from the target, and without leaving any visible traces.

What's App was big in 2019 as a 'vector,' and iMessage was showing up lately because iMessage was not sandboxed like other apps. (It's our app! What could go wrong?) But then I think I read somewhere there are a number of Safari exploits that are similar.

As always the moral of the story is to upgrade to the newest version of the software. In this case that means version 14.something of iOS.

As for the attacks...

The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.

So repressive dictatorships are targeting journalists. And others probably, but the journalists are so much interested in those others.

The increased targeting of the media is especially concerning given the fragmented and often ad-hoc security practices and cultures among journalists and media outlets, and the gap between the scale of threats and the security resources made available to reporters and newsrooms.

Translation: Journalists don't know squat about security. And mostly don't want to know. But then you can probably say the same about bankers, FBI agents and a host of others. And the sad thing is that Snowden published a "How to" for journalists (I think) at one point.

And none of this touches on the spying that the likes F*c*book do. Oh, and F*c*book and Twitter and all the rest want you to know that they are not really "spying." They are just collecting a whole bunch of data about you. But it is all good, because you agreed to that when you clicked "accept" on the terms and conditions.


  1. I guess my iPad that won't update past iOS 12.4 is bad thing, then, right?

    No cell hookup, just on my WiFi at home. Never leaves my home. I might have used FaceTime on it within the last few years.

    1. Actually most of the exploits that are making the news today are all about iMessage zero-click zero-days.

      Someone sends you and iMessage message. You don't click on anything or even open it. Your iOS device is owned by the bad guy.

      There were a bunch of similar Safari exploits earlier in the year. You had to visit a website, but you didn't have to click on anything on that page. You just had to visit that page. This is why the ad-served malware is such a problem. The ads display something from the malicious page, and you are owned.

      Maybe Santa will bring you a new iPad. Or you can start saving your pennies.

      Alternatively, you could put it on a segregated network on your home WiFi. The "guest" network that most of the new routers support. A compromised anything (old iPad, IoT insanity, whatever) is a launching point for other malware.

      And last year there was a ransomware gang going after individual PCs and demanding $250 worth of bitcoin. Haven't heard much of them this year, but the big ransomware stories have been big. They might still be out there.


Be Nice. Arguments are welcome. Personal Attacks will be deleted