[HN Gopher] NSO Group iMessage Zero-Click Exploit Captured in th...
___________________________________________________________________
NSO Group iMessage Zero-Click Exploit Captured in the Wild
Author : jbegley
Score : 353 points
Date : 2021-09-13 20:04 UTC (2 hours ago)
(HTM) web link (citizenlab.ca)
(TXT) w3m dump (citizenlab.ca)
| defaulty wrote:
| This report says they discovered this in March.
|
| The NY Times [1] just reported that "Apple's security team has
| been working around the clock to develop a fix since Tuesday,
| after researchers at Citizen Lab, a cybersecurity watchdog
| organization at the University of Toronto, discovered that a
| Saudi activist's iPhone had been infected with spyware from NSO
| Group."
|
| What took so long? Did Apple not know about this in March or was
| someone sitting on it for 6 months?
|
| [1] https://www.nytimes.com/2021/09/13/technology/apple-
| software...
| robocat wrote:
| "Citizen Lab forwarded the artifacts to Apple on Tuesday
| September 7." -- from article, no need to jump to unwarranted
| conclusions about Apple. "In March 2021, we examined the phone
| of a Saudi activist" - it would be interesting to know the
| reason why Citizen Lab delayed so long. Hopefully they just
| wanted time to discover who else was being targeted?
| dezfuli wrote:
| > In March 2021, we examined the phone of a Saudi activist
| who has chosen to remain anonymous, and determined that they
| had been hacked with NSO Group's Pegasus spyware. During the
| course of the analysis we obtained an iTunes backup of the
| device.
|
| > Recent re-analysis of the backup yielded several files with
| the ".gif" extension in Library/SMS/Attachments that we
| determined were sent to the phone immediately before it was
| hacked with NSO Group's Pegasus spyware.
|
| Seems like they originally examined the phone in March, but
| recently did another analysis, during the course of which
| they discovered the exploit and reported it to Apple.
| badRNG wrote:
| I assume it takes time to go from "this person could have
| potentially been targeted with Pegasus" to "this person's
| iPhone was exploited by Pegasus, and here is how they did
| it."
| [deleted]
| mortenjorck wrote:
| Is there a reason why quarantining image attachments from unknown
| senders hasn't been standard industry practice ever since
| Stagefright?
| zionic wrote:
| Project managers like the pretty inline previews! Security?
| Pssh that's just for nerds.
| flixic wrote:
| Apple specifically introduced BlastDoor framework to combat
| this, so NSO shifted their attacks around decoding, avoiding
| BlastDoor.
| arsome wrote:
| Android 10 also introduced similar mitigations:
| https://android-developers.googleblog.com/2019/05/queue-
| hard...
|
| Though it's worth noting that the cost of Stagefright was
| surprisingly low - it took a long time for a good ASLR bypass
| to come out for it and by that time most devices were updated
| or replaced. Additionally, the sheer variance between Android
| devices means developing worm-level exploits becomes
| extremely difficult compared to something where everyone's
| running the exact same binary like Windows, so it likely only
| saw targeted use.
| notyourday wrote:
| Apple should know who works for NSO Group. It should block every
| single account of every single person working for that org. Same
| goes for their families.
|
| Google should do the same for Android.
|
| You do not fight organizations like that by fighting
| "organization". You make it very difficult for people who work
| for those organizations to participate in a society that relies
| on what they actively work on breaking. In fact, you tell Israeli
| government that unless they put a leash on its dog and lock it up
| in its backyard, you will start disabling accounts of every
| single person in Israeli government. When the government leaders
| cannot work their iphones, they will ensure that NSO does not
| touch Apple's products.
| nebula8804 wrote:
| 30 seconds later, a command comes down the chain from Israel to
| its lapdog: the US and then 5 seconds after that Tim Cook gets
| a call from his local congressperson stating that he is in
| violation of AB 2844 stating that you cannot discriminate
| against Israeli's
|
| [1]:https://iacforaction.org/in-support-of-the-anti-bds-
| ab-2844-...
|
| 1 second after that, the restriction is lifted.
| qaq wrote:
| which will accomplish exactly nothing same way as taking out
| Cartel leaders does not reduce the flow of drugs.
| notyourday wrote:
| Baby hackers that want go working for NSO want to have a high
| life. Modern high life requires modern communications
| devices. Blocking them from modern life (for example, vaccine
| passports done via iPhone and Android) will quickly lower the
| ranks.
|
| Blocking Israeli government officials from Google and Apple
| will _immediately_ solve NSO is an Israeli company that is
| cozy with the government and gets government protection
| problem.
|
| None of the NSO group's clients would want to pay for it via
| suitcases of cash. And in either event paying with suitcases
| of cash creates problems in the modern world for those that
| receive the suitcases of cash.
| qaq wrote:
| there is a wide range of exploit brokers and a decent
| number of security researchers that choose $ over morality
| as long as there is demand there will be supply.
| rodgerd wrote:
| > Apple should know who works for NSO Group. It should block
| every single account of every single person working for that
| org. Same goes for their families.
|
| NSO are suing Facebook - successfully so far - to force them to
| allow NSO staff access to Facebook when FB responded to NSO
| attacks by doing just that.
| notyourday wrote:
| Facebook was suing NSO about the hacks that NSO carried out.
|
| In this case Facebook, Apple, Google, etc should simply
| terminate the accounts exercising "we are deplatforming you.
| No explanation" option they all have.
| q_andrew wrote:
| It seems like the NSO group is some kind of Hydra where every
| time their exploits are thwarted they find 2 new ones. The
| difference is that Hydras go for demigods while NSO products
| target civil servants and minorities.
| danicgross wrote:
| Would turning off iMessage protect from this? Or would the iPhone
| still process the GIF through SMS somehow...?
| SheinhardtWigCo wrote:
| Their high-confidence attribution to NSO Group is described as
| being based on two factors:
|
| 1. Incomplete deletion of evidence from a SQLite database, in the
| exact same manner observed in a previous Pegasus sample;
|
| 2. The presence of a new process with the same name as a process
| observed in a previous Pegasus sample.
|
| But isn't it likely that someone with the skills needed to
| discover and weaponize a chain of 0-day exploits, is incentivized
| and able to detect these quirks in Pegasus samples and imitate
| them, with the goal of misattribution?
|
| Of course, there may be more factors involved in the attribution
| that aren't being shared publicly.
| [deleted]
| Leparamour wrote:
| Since when do we assume misattribution in fingerprinting APTs?
|
| Crowdstrike will find out it's clearly Russia behind this and
| Mandiant will blame China.
| Hnrobert42 wrote:
| It seems like incomplete deletion of data is an error. If you
| are an exploit developer looking to throw investigators off
| your trail, it is one thing to name your processes with Pegasus
| names. It is another to deliberately introduce errors in your
| exploit to appear like Pegasus.
|
| Your proposal is possible. It is just less likely than that
| this exploit was developed by NSO Group.
| giarc wrote:
| I recently learned of this group through the Dark Net Diaries
| podcast. The host does a pretty good job of covering the NSO
| group in episode 99 and 100.
|
| https://darknetdiaries.com/episode/
| trangus_1985 wrote:
| If you're interested in infosec/appsec, DND is a great place to
| get started. The host packages up stories in a well put-
| together way, has no qualms about breaking to explain a concept
| or term, and does it all within an hour.
| adamgordonbell wrote:
| Those episodes were great!
|
| It sounded like NSO group just considers loosing zero days like
| this a cost of doing business.
|
| There seemed to be an implication that they have a war chest of
| these exploits and expect them to each get burnt after a
| certain amount of usage.
| DSingularity wrote:
| I wonder what the US response would have been if the NSO
| group was an Iranian business.
| [deleted]
| Operyl wrote:
| I heavily recommend reading "This is How They Tell Me The World
| Ends" written by one of the guests he had in episode 98, Nicole
| Perlroth (which also touched a little on the NSO in that
| episode). She's The NY Times cybersecurity reporter. A lot of
| the book focused on the NSO, among others.
| badRNG wrote:
| This episode just came out last week, and this is the second
| time NSO has made news since it aired (along with Germany being
| a confirmed client.) Surprisingly apropos, but I imagine Jack's
| disappointed the big news makes it just after his episode's
| release on the subject.
| vjust wrote:
| I once worked in a 'dissident' org (supported by the US Agency
| for International Development) - these orgs were fighting for
| human rights in their countries. In one extreme case/country, my
| prospective project team mate, no one knew her real name (came to
| know this later), though she was our colleague, was quite social
| and pleasant. In her country's expatriate circles in DC, she was
| worried about foreign spies. Family back home is at risk, and so
| is she, even if she lives in DC. These are brave people.
|
| She wanted to build a database of something, and we were like,
| "keep your phone in another room" if you want to come discuss.
| Something that I am not sure she practices but more people need
| to practice.
|
| CitizenLab is doing yeoman's service for people's rights to
| privacy and human rights. They're heroes.
| [deleted]
| eynsham wrote:
| > supported by the US Agency for International Development
|
| Isn't it more usual for the NED to do such things? I remark
| upon this because it occurs to me that using USAID to do
| politics might make recipients suspicious of aid even when it's
| both necessary from a humanitarian perspective and unlikely to
| threaten the ruling dispensation in the recipient country.
| (This is a separate question from whether the NED/US government
| as a whole should even involve itself in such matters, to which
| my answer is 'maybe', since the dubious stuff probably happens
| anyway and lots of these civil society organisations &c.
| actually do good work [e.g. the The Assistance Association for
| Political Prisoners in Burma.])
| vjust wrote:
| True.. I was slightly inaccurate, This org. had various USG
| funders, with a large slice of funding from US-AID projects.
| Washington is full of these 'USAID contractors', some tiny
| others mega-sized. But _this_ project may have been funded by
| a division of US Dept of State that is focused on Human
| Rights - DRL. Not sure where the lines are about which one
| US-Aid gets and which one is State. For example development
| of journalism in an emerging country would be US-Aid. But
| OTOH, a project promoting free elections in the same country
| _could_ be State. Not sure.
|
| In any case, they span the range from benign to hostile
| nations, with varying risks attached. The "About" page for
| many such sensitive orgs would be silent on who the team was,
| except if it was Americans (like me) who didn't mind being
| their name out there (or nervously okayed the name being
| public).
| [deleted]
| iJohnDoe wrote:
| Kind of interesting Apple reacted as quickly as they did. It
| usually takes a lot of effort to get Apple to acknowledge
| anything. Or maybe because they didn't request a bug bounty?
| [deleted]
| syntheticcorp wrote:
| It's because it is being exploited in the wild. Those bugs tend
| to get patched fast.
| badkitty99 wrote:
| And their angle on this "not being a big deal" is that it's
| only used on high profile targets, so they need to keep that
| front up to maintain their busy bottom line
| r00fus wrote:
| Buried lede: Apple has patched that particular exploit [1] and
| everyone should download iOS14.8 now if you want to be protected
| (no doubt NSO has other tricks up their sleeve).
|
| Edit: Just realized it also impacts macOS and watchOS as well
| which were also patched. Patch Monday!
|
| [1] https://support.apple.com/en-ca/HT212807
| sneak wrote:
| Pretty soon the choice will be between:
|
| - vulnerable to the latest published exploits
|
| or
|
| - vulnerable to clientside scanning of your media for
| wrongthink by Apple for the CCP
|
| Smash that iOS update button and do your part for the party!
| samtheprogram wrote:
| The irony is that if you're not updated to the latest iOS,
| the easier (cheaper?) it is for the CCP to run surveillance
| exploits on your device a la the Uighurs.
|
| You can either trust Apple, or lose all security updates.
| Syonyk wrote:
| > _Pretty soon the choice will be between_
|
| What about "Don't use Apple products"? I know that Android is
| just as bad in many ways...
|
| And if all options in the modern tech industry basket of
| choice are terrible, well... humanity survived without them
| for an awfully long time.
|
| I've gone back to a flip phone from an iPhone. I no longer
| use Windows if I can at all avoid it (there exist a few
| sysadmin tasks involving netbooting Mikrotik devices for
| major OS updates that are far less painful on Windows than
| other OSes), and have no plans to let Win11 in my life. And
| Apple is heading out the door too. Throw in my dislike of
| Intel, and... yeah, it's getting pretty thin pickings. I
| still have an iPad with no accounts on it as a PDF reader,
| but I'd like to replace that with something else (Remarkable
| or such).
|
| "Agh, this is soooo terrible, but I'm going to keep using
| it!" just means, in practice, it's not that terrible.
| TaylorAlexander wrote:
| It just makes me so uncomfortable that these things keep
| happening. We always find out about these things eventually but
| what percentage of the time are our devices vulnerable? Isn't
| it close to 100% of the time that our desktops and mobile
| devices have significant security vulnerabilities?
| r00fus wrote:
| Invulnerability for your devices is a chimera. You can only
| do what's possible in your capacity to secure yourself.
|
| I am at peace with the fact that I'm doing the best I can and
| keeping those I love protected.
| buddylw wrote:
| Security has always been relative. I feel much safer
| knowing that an exploit like this is worth hundreds of
| thousands or even millions of dollars.
|
| It keeps them closely guarded and selective about use. All
| of that makes me an unlikely target and reduces individual
| risk.
| heavyset_go wrote:
| > _I feel much safer knowing that an exploit like this is
| worth hundreds of thousands or even millions of dollars._
|
| I don't. Look at how much companies like Apple pay out
| for responsible disclosure if they pay out at all, and
| then compare it to what exploits go for on the grey/black
| market. Typically the buyers have deep pockets and
| burning millions of dollars wouldn't make them blink.
| dkokelley wrote:
| Why does it matter if it's the "good guys" or "bad guys"
| paying?
|
| If a vulnerability only cost ~$100 then a malicious
| person could compromise an ex lover's phone, for example.
| The fact that they are expensive means that their use is
| limited to targeted, strategic attacks. You don't have to
| agree that those attacks are good, but surely pricing the
| average person out of 0-days is better than the
| alternative.
| heavyset_go wrote:
| > _The fact that they are expensive means that their use
| is limited to targeted, strategic attacks._
|
| There are organized crime networks that pull in billions
| of dollars of revenue a year. If they wanted to pull off
| dragnet fraud, for example, they have the funds to do so.
| dylan604 wrote:
| >Why does it matter if it's the "good guys" or "bad guys"
| paying?
|
| Who do you think are more likely to use the vuln/exploit
| on regular everyday users? The nation state people are
| going to use it on targeted persons/groups (typically)
| while the "bad guys" are going to use it so they get the
| greatest bang for their buck.
| madeofpalk wrote:
| But still, I feel relatively safe knowing/thinking that
| the Saudi government doesn't want to hack my iPhone.
| heavyset_go wrote:
| Organized crime might, as they orchestrate fraud,
| blackmail etc networks all over the world.
| 8eye wrote:
| you would expect quality from a commercial product because
| all of the investment being put into a product but these
| exploits are saying otherwise. open source projects may have
| more investments that care on a different level. we might
| have to figure out a way to go in that direction eventually
| considering how dangerous this is getting, many people depend
| on the quality of a product to ensure safer communication,
| and with some it is a life and death situation. do yeah it's
| sad that this keeps happening, it seems like we can think of
| a better way to not make this happen as often.
| overkill28 wrote:
| The way I describe it to friends and family is that there are
| basically two levels of protection:
|
| - Protecting yourself from rub of the mill malware that is
| looking to make money off of you. You can do this pretty
| effectively by always updating your software as soon as you
| can and avoiding sketchy and unnecessary apps and websites
|
| - Protecting yourself from an attack by a nation state level
| agency. I don't think there is any way to be safe from this,
| and people who are targeted like this need to use protection
| that go well beyond the choice of cell phone or chat app
| jdavis703 wrote:
| > Protecting yourself from an attack by a nation state
| level agency.
|
| My personal data was hacked by a nation-state level agency.
| The only way I could've prevented that is by not working in
| a national security position for that country's
| geopolitical rival.
|
| Now the only thing I can reasonably do is avoid ever
| stepping foot in that country lest they detain me for
| "extra questioning."
| dylan604 wrote:
| Until run of the mill malware learns of a vuln only thought
| to be known by nation states, and then all hell breaks
| loose.
| shapefrog wrote:
| > Isn't it close to 100% of the time that our desktops and
| mobile devices have significant security vulnerabilities?
|
| It is 100%. The sader reality is that the most likely weak
| link when it comes to exploiting your device is you.
| sneak wrote:
| Yes, but it can be somewhat mitigated by not using SMS or
| iMessage.
|
| Don't share the phone number of your sim with anyone for any
| reason whatsoever (or don't put a sim in the phone at all and
| use an external wifi router (this is what I do), or use a
| data-only sim), and ensure that iMessage and iCloud is
| disabled.
|
| This doesn't make your phone invulnerable, it just makes it
| less vulnerable.
| [deleted]
| nbzso wrote:
| So I have to update to protect my self from Pegasus/NSO and in
| the meantime to install next beta of CSAM scanner.
|
| Hmm. No. I Deleted all my apps and photos, using it as a phone
| and banking app terminal. Phone calls metadata is collected by
| governments by default, so I have no problem with this. I have
| nothing to hide, and nothing to store on Apple devices.
|
| Someone more paranoid than me, told me outrageous theory. Apple
| want's to take part of Pegasus spyware like market by providing a
| legal and user approved backdoor for governments trough CSAM. I
| don't believe it at all.:)
| pengaru wrote:
| > I have nothing to hide
|
| Don't underestimate the value of privacy. How much (or little)
| you have to hide is something worth hiding. It's what you do
| and don't know, do and don't say, do and don't communicate
| with, this is all important to keep private by default.
|
| There's a tendency for individuals to assume the role of would-
| be criminal in these discussions. It's more correct to assume
| criminals exist on all sides, do you have any interest in
| enabling a corrupt government to surveil its law-abiding
| citizens? When you don't have privacy, you enable potential
| criminals in power to see if the populace is aware of their
| actions, or absolutely distracted by instagram. We're all
| potential witnesses to crimes, and at this point it's
| exceedingly likely we'd communicate those observations via
| smartphones. We all require privacy and secure communications,
| full stop.
| nbzso wrote:
| It is sacracstic coment depicting the general state of
| things.
|
| Normalization of surveillance and acceptance of this "new
| world" from the genereal public trough manufactured consent
| by the corporations, media and governments is staggeringly
| fast.
|
| There is not subsitution for privacy, whatever the percieved
| motivation for "common good" is bringing to the table.
|
| My personal decision is to avoid the surrveilance state by
| using FOSS solutions and abandon smartphone habbits.
|
| There must be a place for design and software solutions
| outside the "status quo". Started this year by removing Apple
| from my business and moving along to educate my customers of
| incomming dangers for their businesess and personal life.
| pphysch wrote:
| This line of thinking is predicated on two assumptions:
|
| 1) That the local authorities are essentially malevolent
|
| 2) That it is only the individual's (privacy/security)
| measures that are deterring the malevolent authority from
| exploiting them
|
| For most Americans/Europeans, both of these assumptions are
| false and based in paranoid fantasies. Local authorities are
| rarely malevolent (though they may commonly be corrupt and
| excessively self-interested and not care about you), and it
| is virtually impossible for the average citizen to mount a
| home defense (real or cyber) against a committed state actor,
| or even local PD. It's like trying to secure a VM guest from
| access by the host machine; you're completely surrounded.
|
| I fully support protecting yourself & your privacy against
| petty criminals, but unilaterally taking on your government
| is frankly just a waste of life.
| gjs278 wrote:
| take your meds
| nebula8804 wrote:
| Is there any confirmation this new release has any CSAM scanner
| stuff in it?
| nbzso wrote:
| At tnis point in time I would not believe anything Apple is
| saying. After all backslash they just postponed it, to make
| it better and to avoid negative PR for the new iPhone.
|
| Traces of CSAM are found in iOS 14.3
| https://appleinsider.com/articles/21/08/18/apples-csam-
| detec...
| kevin_young wrote:
| There's a shocking number of pedophiles. Shame they lobbied
| so hard against keeping kids safe.
| m3kw9 wrote:
| Now that this is out, it won't be just NSO using it. Get it patch
| now.
| kome wrote:
| A public university doing wonderful work again state sponsored
| spyware. Thank you University of Toronto! You restore my faith in
| academia.
| United857 wrote:
| I miss the days when iOS exploits were merely used for jailbreaks
| and allowing alternative app stores, instead of being
| weaponized/monetized as they are now.
| phendrenad2 wrote:
| Ah nice, just parse incoming gifs in your iMessage with the same
| function that also parses PSDs. What could possibly go wrong?
| Gotta be DRY, my dude!
| Ms-J wrote:
| It is increasingly bizarre in my opinion how this company (and
| others like Toka) can run active terrorist operations, that if
| anyone else smaller was doing some of the same hacks they would
| be in prison for a very long time.
|
| People have lost their lives due to these pariahs!
|
| Israel already has a massive PR issue with other countries, it
| would do them well to reign in these offensive front arms of
| their government/'companies.'
|
| Citizen Labs is really a great thing for civilization. There are
| not enough altruistic organizations.
| jasonhansel wrote:
| Why is it that iOS's PDF implementation has been the source of so
| many different exploits? This seems to be a pattern.
| madeofpalk wrote:
| PDFs are hard and complicated?
| RattleyCooper wrote:
| If I knew anybody at NSO Group I'd start messaging them
| unsolicited PDFs and shit :P
| traceroute66 wrote:
| Recently my iPhone started rebooting itself occasionally and
| randomly. I've been a long-term iPhone user and never seen this
| behaviour before on previous or current device.
|
| I'm not one to wear a tin-foil hat, but I have to admit NSO did
| come to mind.
| jaywalk wrote:
| Do you have reason to believe NSO Group would target you?
| azinman2 wrote:
| Unless you're a high profile target occom's razor says hardware
| failure.
| ericbarrett wrote:
| Yup, probably a bad bit in RAM or a just-on-the-edge bus
| error.
| ls612 wrote:
| My mom's iPad was doing the same thing for a long time and I
| suspected hardware failure (it was getting kinda old), so I
| told her to take it into the Apple store for diagnosis and
| repair. It turned out that the iOS install was just corrupted
| by bit flips and the Apple employee did a factory reset and it
| was all good afterwards. There's many things that can go wrong
| with even modern computers that aren't exploit related
| theshadowknows wrote:
| I always wonder what it takes to find this kind of exploit. Are
| the programmers at NSO group just the best in the world? Or are
| they incredibly lucky? Both? I'd love to know what a normal day
| at work is like for their engineers. Clock in, sit down at
| a...crazy expensive hardware and software testing station? Crack
| open a brand new iPhone and start probing away while referencing
| internet sourced chip documentation and software manuals? What
| does it even look like?
| sophacles wrote:
| There's an entire "gray market" of exploit brokers. NSO group
| is one of the many players. There's a good chance this is an
| off-the-shelf exploit.
|
| The podcast Darknet Diaries had an episode about the topic
| recently: https://darknetdiaries.com/episode/98/
|
| (that episode is tied to this book:
| https://www.amazon.com/gp/product/1635576059/ about the topic)
|
| Also, I like that podcast in general - highly recommend it if
| you're into infosec stuff!
| ThisIsTheWay wrote:
| Episode 100 is specifically about NSO and dives deeper into
| Pegasus. Highly recommended listening after episodes 98 and
| 99.
|
| https://darknetdiaries.com/episode/100/
| myself248 wrote:
| That goes very well with this prior episode as background
| info: https://darknetdiaries.com/episode/28/
| staticassertion wrote:
| Exploit development is a skill like any other. Instead of
| learning things like software design patterns, distributed
| systems, software reliability, etc you would have spent time
| learning about memory layouts, OS designs, mitigation
| techniques, decompilers, etc.
| tester756 wrote:
| Here's ranking of top people for this kind of job
|
| https://ctftime.org/
|
| Members of those teams are often Security Engineers at e.g
| Google, Banks, computer emergency response team (CERT) and so
| on.
| chelmzy wrote:
| They may have purchased it from an exploit broker.
| badRNG wrote:
| Zerodium will pay up to $2,500,000 for no-click
| iPhone/Android exploits [1]. I'm sure they'd only pay that
| much if they were highly confident they have clients who'd
| pay enough to make the risk and investment worth it.
|
| [1] https://zerodium.com/program.html
| [deleted]
| dogma1138 wrote:
| They recruit people who were trained to find exploits, it's
| less about having the best programmers and more about having
| people with a specific set of learned skills and dedicating
| them to this task.
|
| I would be surprised if their core iOS research team is much
| more than 10 or so people at any given time.
|
| They also probably use brokers and buy at least some of the
| exploits they use from freelancers if they offer ~7 figures for
| a zero click exploit a lot of freelancers will be working on
| this too.
|
| It's just like any bug bounty program, internally you run a
| small and dedicated team and externally you pay enough to
| entice freelancers to spend their free time on your systems to
| scale it further.
| diskzero wrote:
| They probably hunt exploits like that, but what is quite likely
| is that they have access to stolen Apple source code and scour
| it for type overruns like the one in CoreGraphics that is the
| cause of this exploit. I would estimate that the majority of
| exploits are the result of source code theft, leaks of
| potential vulnerabilities from people who have access to the
| source code and social engineering. There isn't anything
| particularly special about a "Mossad" trained or "NSA" trained
| hacker. They are engineers like many of us and prefer the path
| of least resistance. Trying to brute force buffer overruns
| without having source code access is tedious. Why go to all the
| effort to black box exploits when you can take advantage of
| source code analysis.
|
| I mentioned in another post about why people would leak to the
| press, when you most likely will get caught and fired. Leakers
| of a different caliber will leak source code to governments and
| companies like NSO and have much less likelihood of being
| caught and much higher remuneration.
| tomc1985 wrote:
| I think it's more that the possibility space for exploits is so
| large that a dedicated force of highly creative reverse-
| engineers is all you need to dig them up.
|
| From what I've heard it can be almost trivial to find them if
| you know what to look for. But it seems that very few people
| know exactly where to look, and fewer still understand how to
| interpret the results.
| belter wrote:
| The NSO group are ex-Mossad who decided working for the
| government does not pay as well as making money out of
| exploits, probably obtained at the highest levels of top secret
| work.
|
| So far, they have been tolerated by the Israeli government as
| they all went to the same schools, all did the armed forces
| service together, and all know each other. This allowed them to
| get a free pass so far. Privately, many of their ex-colleagues,
| are very critical of their lack of ethics.
|
| All this will change, the day some of the NSO exploits will be
| used against Israel, the same way some of the NSA leaked tools
| are now used in the wild.
| Leparamour wrote:
| It wouldn't be too far-fetched to imagine that NSO is running
| malware campaigns against Apple and Google employees.
| walrus01 wrote:
| the high tech industry in Israel is not _that big_. If you
| look at the companies that make COTS microwave and millimeter
| wave telecommunications equipment, they 're not too different
| from the other .IL companies which make advanced radar
| systems, jammers, and avionics for aircraft.
|
| I imagine it's similar for black/grey-hat software
| development.
| KoftaBob wrote:
| > So far, they have been tolerated by the Israeli government
|
| Why wouldn't the Israeli government tolerate them? If
| anything, doesn't their government benefit from groups like
| this?
|
| They get access to spy tools that they didn't have to use
| taxpayer money to fund, and because it's former members of
| their own intelligence working on it, they have some
| semblance of influence over how it's used.
|
| Am I missing something?
| cafecitoking wrote:
| Not really. Israel likely openly shares secrets with other
| Five Eyes countries and so it gets a sort of free pass from
| geopolitical pressures. Its a mutually beneficial exchange.
| Additional to the Mossad comment, the Israeli students who
| work for these group take an entrance exam at 17 and that
| recommends them for what's known as UNIT 8200 which is a
| feeder network/NSA clone.
| monocasa wrote:
| Israel isn't part of five eyes.
| badRNG wrote:
| > All this will change, the day some of the NSO exploits will
| be used against Israel, the same way some of the NSA leaked
| tools are now used in the wild.
|
| Has the leak of NSA tools changed anything?
| JumpCrisscross wrote:
| > _Has the leak of NSA tools changed anything?_
|
| Yes. The bipartisan USA Freedom Act limited several aspects
| of the NSA's dragnet [1]. Amendments weakening the bill
| were defeated [2]. Less materially, a documentation
| requirement for SS 702 searches of U.S. persons was added
| in 2018 [3].
|
| [1] https://www.eff.org/deeplinks/2014/11/usa-freedom-act-
| week-w...
|
| [2] https://www.eff.org/deeplinks/2015/05/usa-freedom-act-
| passes...
|
| [3] https://www.lawfareblog.com/summary-fisa-amendments-
| reauthor...
| Amezarak wrote:
| I'm skeptical the NSA doesn't just ignore or creatively
| interpret laws it doesn't like, given their past history
| and the consequences for their misbehavior.
|
| I mean when the CIA got busted not only spying on
| Congress a few years ago, but also lying about spying on
| Congress, they were told "don't do that again please."
| ndesaulniers wrote:
| "Not wittingly."
| sneak wrote:
| http://www.hasjamesclapperbeenindictedyet.com/
|
| Statute of limitations has expired, IIRC.
| rodgerd wrote:
| > Are the programmers at NSO group just the best in the world?
|
| Most people who are good at this are working for national
| security orgs, blue team in the private sector, or cash focused
| criminals. This is the relatively small group of people who are
| comfortable selling tools to help dictators hack journalists up
| with saws.
| gerash wrote:
| If you have an organization that can legally hire people, pay
| them a stable salary and legally sell exploits to all sorts of
| people around the world you end up with NSO.
|
| NSA finds exploits for their own mission and Google Project
| Zero researches vulnerabilities to [per their claim] ensure
| internet stays a secure platform but neither of them sell
| exploits for profit like NSO.
|
| So, no, they're not the only "genius"es out there. They just
| are less ethical about it.
| Thaxll wrote:
| It takes IDA Pro, some low level asm/C++/Python programming
| skills and a lot of hours.
|
| Reverse engineering is not that complicated, however getting
| some results is difficult and time consuming.
|
| In that example it's basically looking at how some libraries
| are parsing input, that's it. Since everything in those phones
| are C/C++ nothing is "safe".
|
| It's the same skills you need to crack games, cheat in online
| games etc ...
| kaladin-jasnah wrote:
| It would be quite difficult if you can't get access to the
| binaries that you have to put into IDA (or, well, Ghidra, for
| that matter, but IDA Pro is probably better).
| saagarjha wrote:
| The binaries are available in OS restore images that Apple
| makes publicly available.
| helge9210 wrote:
| These are ex-military engineers (security researchers).
| Selection starts from age of 4. By the time they receive
| special training in technological units of the army they
| basically have a CS degree (at age of 19-20).
|
| > What does it even look like?
|
| Boring. Usually a group of introverted young kids that look at
| their own shoes while talking to you, led by an extroverted
| young kid, that looks at your shoes while talking to you.
| java-man wrote:
| You just leaked that the extrovert is a Finn! (the original
| joke is about a Finnish extrovert).
| yonatank wrote:
| As someone who has some familiarity with the people and
| processes, this response seems extremely off to me.
|
| > Selection starts from age of 4
|
| Care to share your sources for that? As far as I know most
| are self taught and get some further training in military.
|
| > Boring.
|
| It might be boring to some and might be extremely interesting
| for others. People who like solving puzzles and facing hard
| challenges usually like it. Of course, if your passion is
| building you wouldn't like it as you don't "build" something
| new.
|
| > Usually a group of introverted young kids that look at
| their own shoes while talking to you, led by an extroverted
| young kid, that looks at your shoes while talking to you.
|
| Have you met these people at all? Because it definitely
| sounds like you haven't and you just describe the typecast
| some movie would use.
| helge9210 wrote:
| > Care to share your sources for that?
|
| I'm Israeli.
|
| My children were attending/graduated/served
| kindergarten/school/army in Israel and I saw selection
| process as a parent.
|
| My wife was a school teacher in Israel. She described to me
| some of the evaluation metrics she was supposed to submit
| every half a year over each and every pupil she had.
|
| > Have you met these people at all?
|
| I cannot confirm nor deny I met these people.
| [deleted]
| fragmede wrote:
| One person's boring is another's career culmination.
| Breaking system security often consists of dead end after
| dead end, and even if you get a lucky break, you may hit
| another dead end after that. Finding an exploit often isn't
| enough these days, they need to be chained together to
| actually get somewhere interesting. Personally, it's very
| unrewarding (aka boring, imho) work most of the time
| because you don't find anything a lot of the time. (The
| high off of finding something is something else tho, lemme
| tell you.) If you're interested in the sort of work
| involved, http://microcorruption.com is a good CTF to start
| out on.
| SavantIdiot wrote:
| A lot of times it is just poring over code looking for bugs
| that have already been found in other locations in the code.
|
| For example. this is a use after free bug. You can statically
| analyze disassembled code to find places where this might be
| happenning, and then figure out how to exploit that instance of
| the bug.
___________________________________________________________________
(page generated 2021-09-13 23:00 UTC)