[HN Gopher] iOS 14.6 device hacked with a zero-click iMessage ex... ___________________________________________________________________ iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus Author : amrrs Score : 180 points Date : 2021-07-18 19:43 UTC (3 hours ago) (HTM) web link (twitter.com) (TXT) w3m dump (twitter.com) | Exuma wrote: | This seems bad | rubatuga wrote: | anybody notice a lot of crashes in their iOS device lately? | inter_netuser wrote: | How often does yours crash? | rubatuga wrote: | There was a period from about 3 weeks to one week ago where I | had crashes almost every day from Safari, Snapchat, and a few | other apps. Maybe 1-3 times a day? | toxik wrote: | Definitely not normal, something eating lots of memory? Bug | in some iCloud sync bs? If you're really keen on finding | out what's going on, you can look at the system logs | through xcode. | konart wrote: | Nope. Not a singe one since I've got my 11. | eknkc wrote: | Not really. Used to have more occasional crashes but my iPhone | 12 crashed only once since I got it at launch. | doggodaddo78 wrote: | Nope. Haven't had a crash in months. iPhone SE 2020. | Google234 wrote: | Could be that your battery has deteriorated too muchz | LoveLeadAcid wrote: | Seems safe to assume that everybody's been infected by this | point, eh? | viraptor wrote: | No. More infections = more noise. If you want to target | specific people for a long time, you want to make as little | noise as possible. This includes unexpected traffic, file | artefacts, background energy use, etc. | | Although now that the cat is out of the bag, I'm sure some | groups are working to reproduce it for mass-infection. | Especially since this looks wormable. | LoveLeadAcid wrote: | I disagree, the NSA has shown us all that sucking in all data | and worrying about sorting it later is the way to go. | | EDIT: yikes, I've upset the Unit 8200 agents. | viraptor wrote: | This is a different context, different targeted group, | different use case, than what we've seen with global NSA | monitoring. You're comparing apples to oranges. | meowface wrote: | Passively collecting data on the wire is different from | actively exploiting a device to execute malware. Any entity | trying to work with intelligence agencies is definitely | going to be careful and somewhat sparing with their use of | an "S-tier" zero-day like this. (Unless they have reason to | believe it's already likely been burned, in which case they | might decide to hastily machine gun it while it's still | viable.) | alfalfasprout wrote: | With extremely valuable zero-days like this targeting is | the way to go b/c you don't want the zero-day discovered by | putting it out extensively in the wild. Obviously it's | always a question of time anyways. | mhh__ wrote: | They are able to drink from the firehose, though. This is | an exploit on a device rather than a nations | infrastructure. | | That being said Stuxnet had done its business before it | went public. | zarzavat wrote: | How are image parsing exploits still a thing in 2021? Can Apple | not use Rust? I struggle to understand why Apple is still relying | on C/C++ in such a well known security hotspot. | JEFFERSONRUSH1 wrote: | Do you need expert help in gaining access/passwords to Facebook, | gmail, Instagram, yahoo-mail, snap-chat, twitter, Hotmail, | various blogs, icloud, apple accounts or you want to trade on | bitcoin etc. Password retrieval,clear debts,change of school | grades, professional hacking into institutional servers, clearing | of criminal records, smartphone,tablet portable device hacks, ip | tracking and general tracking operations..........contact: | hack.truth77@gmail.com | DanAtC wrote: | How long until the articles telling users to disable iMessage? | timmytokyo wrote: | I would hope Apple could do something quick and easy in | response to this. From the original thread: | BlastDoor is a great step, to be sure, but it's pretty lame to | just slap sandboxing on iMessage and hope for the best. How | about: "don't automatically run extremely complex and buggy | parsing on data that strangers push to your phone?!" | techrat wrote: | Really goes to show Apple's approach to security, "feebly | containerize something after it's already been severely | exploited." | Dah00n wrote: | > _" as @AmnestyTech observed and we @citizenlab can confirm, NSO | Group's Pegasus spyware delivered via 0-click exploits is no | longer "persistent" in the strict sense of the word (i.e., | doesn't come back when you reboot). Persistence is achieved via | firing the 0-click again. Because the 0-clicks they're using | appear to be quite reliable, the lack of traditional | "persistence" is a feature, not a drawback of the spyware. It | makes the spyware more nimble, and prevents recovery of the "good | stuff" (i.e., the spyware and exploits) from forensic analysis."_ | | Oh that's bad. | arkadiyt wrote: | On the plus side, having persistence means attackers retain | access through iOS updates. Their "persist-less" exploits will | eventually be patched by Apple, at which point anyone who | applies the update has a clean device. | ec109685 wrote: | On the server, we have firecracker and gvisor to provide and | extra layer of defense by not allowing userspace to directly | access the kernel. | | Will that be the future on client devices as well given kernels | are just too complex to secure perfectly? | arkadiyt wrote: | As the tweet author notes, starting with iOS 14 Apple has moved | iMessage parsing into a sandboxed "blastdoor" process - I'm | surprised it was ineffective in stopping this exploit chain. | tester756 wrote: | Why there's so much parsing related exploits? | amelius wrote: | My guess: because most parsing uses the stack a lot, and | the parsed language often allows arbitrary length inputs, | both of which are connected to overflow problems, which in | turn can often be exploited. | wyager wrote: | Because people implement parsers in languages that don't | allow direct expression of grammars (e.g. C). To safely | implement parsers you must choose either algebraic | datatypes or continuation passing, and a lot of programmers | choose neither. CPS is annoying in most languages. ADTs are | the obvious choice but somehow in 2021 most people are | using languages that don't have them. If you write a parser | in Haskell, for example, you'd have to mess up pretty badly | and write totally non-idiomatic code to write a parser that | crashes at all, let alone crashes in a way that compromises | memory safety. | tester756 wrote: | >ADTs are the obvious choice but somehow in 2021 most | people are using languages that don't have them. | | Isn't inheritance to create hierarchy enough? why? | Node SubNode1 SubNode2 SubNode1.1 | SubNode2.1 | wyager wrote: | Using inheritance in this way is a hack to emulate some | of the functionality of ADTs. Grammars are perhaps one of | the most poignant examples where the various constructors | in your type might have no behaviors in common, so | adherence to a shared interface is nothing but a vague | indication that these types are somehow related. Sealed | classes let you recover a little bit more of the | functionality. | SheinhardtWigCo wrote: | The future is memory safety, but to get there, they would need | to rewrite and audit millions of lines of code. Targeted | attacks against VIP users don't cause significant PR damage, so | why go to all that effort? | [deleted] | collaborative wrote: | I've been hearing of Pegasus for a good 3 years now. Is it so | hard to patch devices to close whatever means it uses to hack | them? | | Or is there also a Pegasus V2, V3, etc that plays catchup with | OS's security patches? | meibo wrote: | It's the name of a iOS malware/RAT by NSO, an Israeli company | that likes to sell their software to governments offering | varying degrees of personal freedom around the world. | | It's been around with zero-click exploits for years, and | apparently even now, after their big iMessage "security" | rewrite with iOS 14. Very likely that they have other | entrypoints as well though. | stefan_ wrote: | Just so no one is confused: as the Facebook lawsuit | confirmed, NSO is running the C&C servers for their clients. | They are not selling some software, "do what you want". | | It is NSO running these operations. They are directly | implicated in whatever their malware ends up doing. | drexlspivey wrote: | Pegasus was also used by Saudi Arabia to hack Jeff Bezos' | phone and it was MBS (the crown prince) himself that sent the | iMessage to him. | mandeepj wrote: | It was a WhatsApp missed call | eyeball wrote: | how would one tell if they'd been hit with this? | [deleted] ___________________________________________________________________ (page generated 2021-07-18 23:00 UTC)