from the helping-authorized-governments-combat-terror-and-crime dept.
The Citizen Lab found that the iPhones of dozens of journalists were hacked using an invisible zero-day zero-click exploit in iMessage.
The Great iPwn -- Journalists Hacked with Suspected NSO Group iMessage 'Zero-Click' Exploit:
Summary & Key Findings
- In July and August 2020, government operatives used NSO Group's Pegasus spyware to hack 36 phones belonging to journalists and employees at Al Jazeera. The phone of a journalist at London-based Al Araby TV was also hacked.
- The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple's then-latest iPhone 11.
- Based on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.
- The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.
- We do not believe that KISMET works against iOS 14 and above, which includes new security protections. All iOS device owners should immediately update to the latest version of the operating system.
- Given the global reach of NSO Group's customer base and the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update, we suspect that the infections that we observed were a miniscule fraction of the total attacks leveraging this exploit.
There are other findings which are then followed by an in-depth analysis of a few infections. The story concludes with an admonition to "Update your iOS Device Immediately":
We have seen no evidence that the KISMET exploit still functions on iOS 14 and above, although we are basing our observations on a finite sample of observed devices. Apple made many new security improvements with iOS 14 and we suspect that these changes blocked the exploit. Although we believe that NSO Group is constantly working to develop new vectors of infection, if you own an Apple iOS device you should immediately update to iOS 14. Click here for instructions.
Related Stories
Messaging app said it had 'high confidence' some users were targeted and 'possibly compromised' by Paragon Solutions spyware:
Nearly 100 journalists and other members of civil society using WhatsApp, the popular messaging app owned by Meta, were targeted by spyware owned by Paragon Solutions, an Israeli maker of hacking software, the company alleged on Friday.
The journalists and other civil society members were being alerted of a possible breach of their devices, with WhatsApp telling the Guardian it had "high confidence" that the 90 users in question had been targeted and "possibly compromised".
It is not clear who was behind the attack. Like other spyware makers, Paragon's hacking software is used by government clients and WhatsApp said it had not been able to identify the clients who ordered the alleged attacks.
Experts said the targeting was a "zero-click" attack, which means targets would not have had to click on any malicious links to be infected.
[...] WhatsApp said it had sent Paragon a "cease and desist" letter and that it was exploring its legal options. WhatsApp said the alleged attacks had been disrupted in December and that it was not clear how long the targets may have been under threat.
Originally spotted on Schneier on Security.
Related:
- Journalist Sues Predator Spyware Maker for Allegedly Helping Government Surveil Him
- Israeli Spyware Maker Is in Spotlight Amid Reports of Wide Abuses
- The Great iPwn -- Journalists Hacked with Suspected NSO Group iMessage 'Zero-Click' Exploit
Israeli Spyware Maker Is in Spotlight Amid Reports of Wide Abuses
Data leaked to a consortium of news organizations suggests that several countries use Pegasus, a powerful cyberespionage tool, to spy on rights activists, dissidents and journalists.
A major Israeli cyber-surveillance company, NSO Group, came under heightened scrutiny Sunday after an international alliance of news outlets reported that governments used its software to target journalists, dissidents and opposition politicians.
The Israeli government also faced renewed international pressure for allowing the company to do business with authoritarian regimes that use the spyware for purposes that go far afield of the company's stated aim: targeting terrorists and criminals.
[...] The allegations may escalate concerns that the Israeli government has abetted government abuses by granting NSO an export license to sell software to countries that use it to suppress dissent.
The accounts, published by The Washington Post and an alliance of 16 other international news outlets, follow recent reporting by The [New York] Times that Israel permitted NSO to do business with Saudi Arabia, and encouraged it to keep doing so even after the Saudi government was implicated in the 2018 assassination of a Saudi journalist and dissident, Jamal Khashoggi.
Pegasus: The new global weapon for silencing journalists
Also at Business Insider, The Hill, The Verge, and Al Jazeera.
Related: Israeli Firm NSO Linked to WhatsApp Hack, Faces Lawsuit Backed by Amnesty International
Saudi Crown Prince's WhatsApp Account Reportedly Used to Hack Jeff Bezos
The Great iPwn -- Journalists Hacked with Suspected NSO Group iMessage 'Zero-Click' Exploit
The U.S. Blacklists Makers of Cops' Favorite iPhone Hacking Tool:
NSO Group, an Israeli surveillance firm whose spyware has been peddled to authoritarian governments around the world, has been sanctioned by the U.S. Commerce Department. The new restrictions, which the agency announced in a press release Wednesday, will limit the degree to which American companies can provide parts or services to NSO—a decision that could seriously hobble the vendor's business.
NSO is best known for its commercial malware "Pegasus," a product that can infiltrate smartphones and silently pilfer their contents—from text messages to voice calls to photos. The company also sells a creepy "zero-click" exploit, the likes of which apparently requires no phishing and is said to take advantage of security flaws inherent in iPhones and Android devices to compromise them. In September, it was reported that some 1.65 billion Apple devices had been vulnerable to NSO's malware for a period of several months.
See also: US Cuts Off Pegasus Developer: What You Need To Know About This Spyware
Previously: Israeli Firm NSO Linked to WhatsApp Hack, Faces Lawsuit Backed by Amnesty International
Saudi Crown Prince's WhatsApp Account Reportedly Used to Hack Jeff Bezos
The Great iPwn -- Journalists Hacked with Suspected NSO Group iMessage 'Zero-Click' Exploit
Israeli Spyware Maker Is in Spotlight Amid Reports of Wide Abuses
(Score: 4, Funny) by Username on Tuesday December 22 2020, @01:05AM (2 children)
Isn't the point of journalism to disseminate information? This would just help journalists.
(Score: 2) by PartTimeZombie on Tuesday December 22 2020, @01:19AM (1 child)
Funny? OK, Funny.
Seriously though, imagine working for the NSO Group knowing what your clients do to people they don't like.
(Score: 0) by Anonymous Coward on Tuesday December 22 2020, @10:06AM
-- an older movie whose name slipped my mind.
(Score: 0) by Anonymous Coward on Tuesday December 22 2020, @02:48AM (2 children)
We can't trust the news or the government. What's one to do.
(Score: 3, Touché) by leon_the_cat on Tuesday December 22 2020, @06:54AM (1 child)
Information is power and all the largest news feeds will be co-oped by the powers that be to serve their agenda. What you can do is go to fact-checkers. Obviously these same people will work this out and decide to disseminate propaganda via fact-checkers so then you need to go to fact-checkers fact-checkers. Before you actually manage this someone will already have co-oped and propagandized that level so you will need to go to fact-checkers x3 and well you can probably guess what happens at this point. Anyway i'm off to watch some watchers.
(Score: 2) by pdfernhout on Wednesday December 23 2020, @04:18PM
... on fact-checkers etc., probably (?) not knowing JP Sears is a well-known satirist: https://twitter.com/Wordofbeak/status/1340661548914765824 [twitter.com]
The biggest challenge of the 21st century: the irony of technologies of abundance used by scarcity-minded people.
(Score: 0) by Anonymous Coward on Tuesday December 22 2020, @06:55AM (1 child)
I remember a time when phones, watches, and cars didn't require constant software updates, because at that time they didn't incorporate computer chips. Which is not to say they were necessarily more secure back in the good old days... Voice was transmitted through the telephone exchange in the clear and anyone there could listen in, but that may still be the case for some voice applications of course, even with encryption for some parts of the journey, but it's now easier for something to silently redirect packets to another jurisdiction without you knowing. Watches were electromechanical, but then we didn't expect as much from them, e.g. we didn't expect them to have access to our calendar and text messages and phone book and we didn't expect them to monitor our hearts or blood oxygen levels, so I guess increased functionality demands computerisation and some of those functions require access to the phone or network, so it doesn't seem like we can go back easily. As for cars, the convergence of smart engine tech, entertainment, navigation, plus the whole back to base transmission of data being just so fashionable these days, I can't see us easily ridding ourselves of that attack surface either.
(Score: 2) by pdfernhout on Wednesday December 23 2020, @04:12PM
https://www.amazon.com/Retrotopia-John-Michael-Greer-ebook/dp/B01MXUDLTH/ [amazon.com]
"The year is 2065. Decades ago, the United States of America fell apart after four brutal years of civil war, and the fragments coalesced into new nations divided by economic and political rivalries. Most of the post-US America is wracked by poverty and civil strife, with high-tech skyscrapers rising above crowded, starving slums—but one of the new nations, the Lakeland Republic of the upper Midwest, has gone its own way, isolated from the rest by closed frontiers and trade embargoes. Now Peter Carr, an emissary from the newly elected administration in the Atlantic Republic, boards a train to cross the recently reopened border into Lakeland territory on a mission that could decide the fate of his nation. Ahead of him lies a cascade of experiences that will challenge his most basic assumptions about economics, politics, and the direction history is moving. Alone among the post-USA republics of North America, the Lakeland Republic has achieved prosperity and internal peace, and it’s done so by modeling its future…on the past."
One key point in the book is that electronic communications simply could not be made secure in the face of a military attack...
Or, related by me, on a tangential point for activists:
"Why Encryption Use Is Problematical When Advocating For Social Change"
https://pdfernhout.net/why-encryption-use-is-problematical-when-advocating-for-social-change.html [pdfernhout.net]
"I believe decentralized knowledge sharing is important, especially for disaster preparedness. I also believe encryption is important in practice, the same way as many people have locks on their doors. Such things do affect a balance between state power and individual power, which is important in a democracy, and they also make it harder for vandals and criminals to operate. So, a project like Briar that supports decentralized communications and encryption is important for those and other reasons. Still, as my father (a machinist among other things) used to say, "Locks only keep honest people honest." Here is a partial list of all the ways a tool like Briar can fail when being used by activists engaged in controversial political actions. ...
If you work in public, you don't have to fear loss of secure communications because you never structure your movement to rely on them. If you rely on "secure" communications, then you may set yourself up to fail when such communications are compromised. If your point is to build a mass movement, then where should your focus be? ..."
The biggest challenge of the 21st century: the irony of technologies of abundance used by scarcity-minded people.