from the forget-the-hyperbole-it's-"not-good" dept.
Researchers call NSO zero-click iPhone exploit 'incredible and terrifying':
Google researchers have described NSO Group's zero-click exploit used to hack Apple devices as "incredible and terrifying," Wired has reported. Project Zero researchers called it "one of the most technically sophisticated exploits we've ever seen" that's on par with attacks from elite nation-state spies.
The Project Zero team said it obtained one of NSO's Pegasus exploits from Citizen Lab, which managed to capture it via a targeted Saudi activist. It also worked with Apple's Security Engineering and Architecture (SEAR) group on the technical analysis.
NSO's original exploit required the user to click on a link, but the latest, most sophisticated exploits require no click at all. Called ForcedEntry, it takes advantage of the way iMessage interprets files like GIFs to open a malicious PDF file with no action required from the victim. It does so by using old code from the 1990s used to process text in scanner images.
Also at: Google Warns That NSO Hacking Is On Par With Elite Nation-State Spies:
Related Stories
Despite confirming its purchase, the bureau claims Pegasus was never used in any FBI investigation:
According to the report, the deal struck between the FBI and NSO was a one-year test project worth around $5 million. Despite "not using it at all... like, not even switching it on," according to a source, the FBI renewed the contract for another year, bringing the deal up to $9 million.
The deal was agreed upon following a "long process" of disagreements on how much control NSO Group would retain over its software, a source told The Guardian. The FBI reportedly took issue with NSO's policy of keeping sensors on its technology in order to be alerted if it was moved by a government client and to keep track of its physical location.
In addition, the bureau was reportedly wary of allowing NSO engineers to install Pegasus on FBI computers, instead agreeing to keep the spyware in a large container.
The FBI stated it bought access to NSO's spyware in order to "stay abreast of emerging technologies and tradecraft."
Previously on SN:
- Researchers Call NSO Zero-Click iPhone Exploit "Incredible and Terrifying"
- American Diplomats' iPhones Reportedly Compromised by NSO Group Intrusion Software
- Apple Sues NSO Group for Providing Software to Hack iPhones
- U.S. Places Sanctions on NSO Group, Peddler of Pegasus Spyware
The Battle for the World's Most Powerful Cyberweapon [Ed's Comment: If paywalled try https://archive.fo/cbnUR]
In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world's most notorious maker of spyware. Then, with their equipment in place, they began testing.
The F.B.I. had bought a version of Pegasus, NSO's premier spying tool. For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else — not a private company, not even a state intelligence service — could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone.
(Score: 2) by looorg on Sunday December 19 2021, @05:54AM (9 children)
On par with? They more or less are one. Founders came from military intelligence and they most likely recruit heavily from such units once their tour of duty is over.
Still nice that you dont even have to click some tedious links anymore. But if that has been around from the 90's how the fuck have that not been patched yet and how is it still in use.
(Score: 0) by Anonymous Coward on Sunday December 19 2021, @07:26AM (3 children)
Because code review costs money and nobody wants that shit. "Make something customers want."
I'm quoting an old boss of mine, although in that particular instance, I was filling a feature requested by several school districts and teachers, which was, at the time, our fastest growing segment of customers. There's (several) reasons I don't work for him anymore.
(Score: 3, Interesting) by looorg on Sunday December 19 2021, @01:43PM (2 children)
But in this case I'm fairly sure customers doesn't want to be spied on, that said other customers want to spy apparently so there is that market segment. Still if they are basing this super spy feature on something that is 20-30 years old and not fixed yet one would assume there would be a market out there to fix it either way. It's not like you need to be backwards compatible with some software in this regard when it comes to previewing messages or whatnot. Also if it's that old shouldn't everyone more or less have this feature now, so it shouldn't be some NSO hack exclusive in that regard.
(Score: 2) by The Vocal Minority on Monday December 20 2021, @04:30AM (1 child)
Have you heard of this thing called Facebook....
(Score: 2) by looorg on Monday December 20 2021, @11:51AM
Somehow it does not matter how much or many times that truth is told. Some users/people are just beyond making that connection or just refuse to see it as spying or snooping. Still if flat out asked if they want to be spied upon their answer would still be no. They just cant make the connection that it is what Meta/Facebook/Google etc are doing to them.
(Score: 2) by Runaway1956 on Sunday December 19 2021, @08:02AM
Feature requested by NSA - will not fix.
Abortion is the number one killed of children in the United States.
(Score: 4, Interesting) by inertnet on Sunday December 19 2021, @12:01PM (3 children)
PDF files can be very nasty. I recently wrote some code to scan PDF files for a company that needs their customers to upload files. PDF files can contain objects with keywords like "/Sound", "/Launch", "/URI", "/Javascript" and more. "/Launch" will launch a program (optionally with a hard path). "/URI" provides an URL to click on, and so on. Sounds easy to scan, but any character can be encoded with a '#' lead character, so "/U#52I", "/#55R#49", "/#55#52#49" will all be interpreted as "/URI". You can write code that replaces every '#nn' with its real character, but you cannot blindly do that for the whole file because (image) streams can also contain them. It's easy to remove the objects you don't want while scanning though, once you have written proper code to analyse PDF files.
(Score: 0) by Anonymous Coward on Sunday December 19 2021, @01:43PM
So what? I can put anything into a text and it doesn't mean the thing should act on it. It's like if some idiot enabled JNDI on a logging string from external input .... wait...
(Score: 1, Interesting) by Anonymous Coward on Sunday December 19 2021, @01:44PM (1 child)
Q about PDFs -- do the possibly nasty things you mention work for any PDF reader?
I have pretty much quit using Acrobat Reader and now use SumatraPDF which is faster (and has many fewer "features"). I have a feeling that most of the nasty stuff is only possible with Acrobat Reader--is this true?
(Score: 4, Interesting) by inertnet on Sunday December 19 2021, @03:14PM
My goal was to sanitize PDF files before employees get to review them. You have to assume that an employee will click on anything without thinking twice, and even enter their Microsoft credentials in any browser window that happens to pop up. This has actually happened recently during a targeted fishing attack, people would happily enter their login details without checking the URL. It was caught just in time, somebody was already in the act of paying a fake invoice of around $20,000 to a foreign bank account, within minutes after the fishing mails entered the company. They contained crafted PDF files, so after that I decided that any uploaded PDF files need to be disarmed at the time of uploading. The system (Salesforce) that displays the PDF files in a browser appears to be using the well known PDF.js library. I needed to neuter the uploaded PDF files before it gets decided how they would be opened. I don't know how secure any of the PDF readers are, on Windows I use PDF-Xchange viewer fro Tracker software. On Linux I use the default Atril viewer.
(Score: 1, Interesting) by Anonymous Coward on Sunday December 19 2021, @10:06AM
After reading the article, I`m left in awe.
This is pure genius.
Same goes for the chaps who made a computer and a digital clock in Conway`s Game of Life.
Excellent documentary here: https://www.youtube.com/watch?v=Kk2MH9O4pXY [youtube.com]
Talk about archetypal...
[ lights a candle and bends down on one knee ]
(Score: 2, Insightful) by Anonymous Coward on Sunday December 19 2021, @01:28PM (2 children)
Is there a way to turn off message preview on iStuff?
Seems like it opens quite a bit of unnecessary attack surface.
(Score: 0) by Anonymous Coward on Sunday December 19 2021, @03:37PM
All you can do is turn off auto-play in iMessedup, that's it. You still are forced to see a thumbnail whatever someone attached. I wonder, is a thumbnail still enough to trigger the exploit?
A simple toggle to show/hide everything that is not text in iMessedup would make sense, that's expecting too much out of Apple. Most of Apple's UI redesigns and "improvements" have not made any sense for almost a decade.
When wanting to revisit a text from a week ago it would be so much simpler and faster and nicer to scroll back through a weeks worth of messages in four screens of text instead of 25 screens of mixed text and thumbnails.
(Score: 3, Insightful) by rigrig on Sunday December 19 2021, @08:16PM
It seems like turning off preview might not help: apparently [blogspot.com] the exploit is triggered when iMessage receives any GIF, and it tries to modify the file so animated pictures loop forever.
No one remembers the singer.
(Score: 0) by Anonymous Coward on Sunday December 19 2021, @03:55PM (3 children)
(Score: 0) by Anonymous Coward on Sunday December 19 2021, @05:37PM (1 child)
>> Do Android phones support this preview stuff by default
No... it's part of the inherent security that makes Android the better choice for security-conscious users. .
(Score: 0) by Anonymous Coward on Sunday December 19 2021, @07:34PM
i would say android is the state approved bug on-top of a linux kernel, rather.
anyway, see you throw away that perfectly working battery, gps sensor, camera(s) in three years because ... software update denial.
it's all the same crap.
(Score: 0) by Anonymous Coward on Monday December 20 2021, @03:40PM
It's known that NSO has equivalent android offerings, but they haven't been found in the wild. Probably whales don't use android.
(Score: 2) by Mojibake Tengu on Sunday December 19 2021, @04:12PM
https://soylentnews.org/~Mojibake+Tengu/journal/9443 [soylentnews.org]
https://www.issworldtraining.com/ISS_EUROPE/ [issworldtraining.com]
But ignorants still keep ignoring...
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 5, Informative) by rigrig on Sunday December 19 2021, @08:11PM
xkcd link [xkcd.com].
And just in case anybody is interested: Project Zero's actual write-up [blogspot.com] of how this actually works.
That sounds incredible enough, but then you find out they actually built that environment from logical bit operations:
No one remembers the singer.
(Score: -1, Troll) by Anonymous Coward on Sunday December 19 2021, @10:59PM
This is a job of a jew: steal from others, harm them in any way possible. The jew is unable to make something of value. He only destroys. Imagine if there were no jews...
(Score: 0) by Anonymous Coward on Monday December 20 2021, @04:24PM (2 children)
Why are things like this not included in the summary???
(Score: 0) by Anonymous Coward on Monday December 20 2021, @08:55PM
(Score: 0) by Anonymous Coward on Tuesday December 21 2021, @04:43AM
For it to work they have to be installed. Lots of users never do it for technical or competency reasons. Others with older phones probably cant even do it as its not even supported.