Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
62,950
29,653


Journalists, lawyers, and human rights activists around the world have been targeted by authoritarian governments using phone malware made by Israeli surveillance firm NSO Group, according to multiple media reports.

nso-israeli-surveillance-firm.jpg

An investigation by 17 media organizations and Amnesty International's Security Lab uncovered a massive data leak, indicating widespread and continuing abuse of the commercial hacking spyware, Pegasus, which can infect iPhones and Android devices and enable attackers to extract messages, emails, and media, and record calls and secretly activate microphones.

The leak contains a list of over 50,000 phone numbers that are believed to have been identified by clients of NSO as possible people of interest. Forbidden Stories, a Paris-based nonprofit media organization, and Amnesty International had access to the leaked list and shared that access with media partners as part of reporting consortium the Pegasus project. Forensic tests on some of the phones with numbers on the list indicated that more than half had traces of the spyware.

The company behind the software, NSO, denies any wrongdoing and claims its product is strictly for use against criminals and terrorists, and is made available only to military, law enforcement and intelligence agencies.

In a statement given to media organizations in response to the Pegasus project, NSO said the original investigation which led to the reports was "full of wrong assumptions and uncorroborated theories."
NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers' targets. NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as identity of customers of which we have shut down systems.
In an earlier version of the spyware, surveillance activity depended on the phone user clicking on a malicious link sent to them in a text or email (so-called "spear-phishing"). However, the most recently discovered version doesn't require interaction from the user and can instead exploit "zero-click" vulnerabilities – bugs or flaws in the OS – to succeed.

For example, Amnesty's Security Lab and Citizen Lab found an iPhone running iOS 14.6 could be hacked with a zero-click iMessage exploit to install Pegasus.


Meanwhile, media organizations involved in the project plan to reveal the identities of people whose number appeared on the list in the coming days. They are said to include hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials. Disclosures which began on Sunday have already revealed that the numbers of more than 180 journalists are already known to be among the data.

WhatsApp sued NSO in 2019 after it alleged the company was behind cyber-attacks on thousands of mobile phones involving Pegasus. NSO denied any criminal wrongdoing, but the company has been banned from using WhatsApp.

Update: Apple has provided the following statement condemning the use of the zero-click exploit against journalists, lawyers, and human rights activists to The Guardian.
In a statement, the iPhone maker said: “Apple unequivocally condemns cyber-attacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market.”

Apple also said that security was a dynamic field and that its BlastDoor was not the end of its efforts to secure iMessage.

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” it said. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Article Link: Report: Pegasus Spyware Sold to Governments Uses Zero-Click iMessage Exploit to Infect iPhones Running iOS 14.6
 
Last edited:
  • Like
Reactions: flowsy

swm

macrumors 6502a
May 29, 2013
505
833
a game of cat and mice. as it always have been.
it would be good to take back the power of absolute surveillance - what arrived with the era of personal electronic communication devices - from the 'good' guys, as no matter what, it is always misused
 

_Spinn_

macrumors 601
Nov 6, 2020
4,856
10,040
Wisconsin
Hopefully Apple can patch this quickly.

Edit: Seems like this is able to break through BlastDoor sandbox introduced in iOS 14


Possibly through automatic attachment parsing.


As of right now it sounds like no one is exactly sure how this exploit works so it will probably take Apple awhile to fix it.

Even though I’m not a high profile target I’ve blocked the known domains with pi-hole for now with this list:

Code:
https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/domains.txt
 
Last edited:

swm

macrumors 6502a
May 29, 2013
505
833
read the actual article. these kind of attacks use DGA domain names (the domain is generated, registered, and SSL cert is automatically generated), which can be easily identified on DNS server side, and name resolution for that URL can be blocked. the oDoH mechanism in Apple Private relay can protect your back in this regard.
also EFF can do - actually they do - a lot about it by also refusing to issue certificates for DGA FQDNs.
 

orthorim

Suspended
Feb 27, 2008
733
350
Apple's only got itself to blame.

iMessage was a festering cesspit of vulnerability since they added all this nonsense, emojos, apps (!!!) - well adding apps and an app API to your messsaging is a guaranteed way to open it up to all sorts of vulnerabilities

apple has massive problems that are built into iOS and Mac OS, that are are non-fixable:

- Video player with thousands of features and a multiple decades old codebase - this is going to have enough zero days for the next 100 years

- iMessages, wantonly compromised by features nobody is using, since they're all walled garden features relying on network effects, therefore all doomed to fail. There was no reason to do this. Just show the text. Add images. Done.

- FaceTime - likely has endless vulnerabilities as well, like QuickTime

And many others - there's so much stuff they're building that's a security disaster from the get go.

I have followed the "security related updates" for the past few iPhone updates, and it's pretty shocking, yet not surprising, as each one of these point updates fixes 10, 20, or even 30 zero day exploits.

millions left to go.
 
Just upping a version number doesn't mean the problem is fixed.
What does that have to do with any of it? Changing the build number is not going to magically fix this exploit
It’s not just about changing the build number. I’m sure Apple will patch it right away.
 

Unggoy Murderer

macrumors 65816
Jan 28, 2011
1,132
3,877
Edinburgh, UK
Biggest culprit here is apple for sure. They have responsibilities here and should have been on top of it.

the company that produces this software must be freaking geniuses
Apple don't have infinite resources, and in infosec, there's always someone smarter out there who'll be willing to try and break into your system - it is impossible for a system to be perfect.

You can bet that Apple will be doing everything they can to resolve it soon - that's the responsibility.
 

orthorim

Suspended
Feb 27, 2008
733
350
In addition to iMessage, are there any other messaging systems that are targeted? Say WhatsApp / Telegram / Signal? Since not many people outside the United States use iMessage.
As explained above iMessage is the only one of these that's an intentionally designed security disaster.

The others have images, video, basic stuff and are likely only vulnerable to OS level video player exploits.

iMessage has a huge amount of features and even an app API - like every single security researcher in the world surely was doing, I was also facepalming myself when I first heard about the feature set - it's a few years ago now that this came out, iOS 11 maybe? Not sure. iMessage needs to remove all these dumb features again.
 

orthorim

Suspended
Feb 27, 2008
733
350
Apple don't have infinite resources, and in infosec, there's always someone smarter out there who'll be willing to try and break into your system - it is impossible for a system to be perfect.

You can bet that Apple will be doing everything they can to resolve it soon - that's the responsibility.
I don't like blaming people but in this case, it's all on apple

- They DO actually have infinite resources with 200Bn USD in the bank

- They continually prioritize features some marketing monkeys thought up - iMessage, targeted here, is the best example. Apple has really good engineers working there, I am 100% sure some of them spoke up and sad "guys, this is a bad idea there's no way to make an app API, tons of animation features, customizable emojis, customizable animations, free floating sticky notes, all secure in one big release. We need to hold off on this. but they were outvoted by the marketing monkeys ("this will sell more iphones")

- Their software process is antiquated and wasn't good when it was first invented sometime in the 80ies. That's why Avi left.
 

orthorim

Suspended
Feb 27, 2008
733
350
PS because it was mentioned above - I've been living in SE Asia the last 10+ years and nobody here uses iMessage. Lots of Android devices, iPhone came later, so traditionally it's all Line (which was lightyears ahead of iMessage back in the day, also worked on Android), WhatsApp and FB messenger.

A messaging app is best when you can message everyone you know.

Number of locals who only know people with iPhones - tending to zero.
 

Compile 'em all

macrumors 601
Apr 6, 2005
4,130
323
iOS 14.7 is around the corner and will be released this week. I don't think Apple has to worry about it.

Android can't say much on their behalf.
99% of the 50,000 journalists/individuals on this list have ALREADY been hacked, many of them already imprisoned, some even killed.

How does patching this exploit help them? Apple has to do much better. Security/Privacy is literally one of the main reasons Apple markets as a reason to get an iPhone. They are lying.
 

One2Grift

Cancelled
Jun 1, 2021
609
546
I don't like blaming people but in this case, it's all on apple

- They DO actually have infinite resources with 200Bn USD in the bank

- They continually prioritize features some marketing monkeys thought up - iMessage, targeted here, is the best example. Apple has really good engineers working there, I am 100% sure some of them spoke up and sad "guys, this is a bad idea there's no way to make an app API, tons of animation features, customizable emojis, customizable animations, free floating sticky notes, all secure in one big release. We need to hold off on this. but they were outvoted by the marketing monkeys ("this will sell more iphones")

- Their software process is antiquated and wasn't good when it was first invented sometime in the 80ies. That's why Avi left.
They don’t have infinite resources, that’s just a bizarre statement.

Software vulnerabilities happen, it is a fact of life. Yes, A company must patch them ASAP. Apple has been excellent at keeping vulnerabilities to an extreme minimum and patching them quickly. But if they knew about this one sooner and didn’t patch it, then there is a problem

Since both Microsoft and Google have infinite resources based upon your bizarre math,you must be furious at them given malware numbers for them.
 
Last edited:

Wando64

macrumors 68020
Jul 11, 2013
2,100
2,625
In addition to iMessage, are there any other messaging systems that are targeted? Say WhatsApp / Telegram / Signal? Since not many people outside the United States use iMessage.

…nobody here uses iMessage.

“However, the most recently discovered version doesn't require interaction from the user and can instead exploit "zero-click" vulnerabilities – bugs or flaws in the OS – to succeed.”
“can infect iPhones and Android devices and enable attackers to extract messages, emails, and media, and record calls and secretly activate microphones.”

It is irrelevant whether you use iMessage or not, as long as it is installed on your phone.
 
Last edited:

Unggoy Murderer

macrumors 65816
Jan 28, 2011
1,132
3,877
Edinburgh, UK
I don't like blaming people but in this case, it's all on apple

- They DO actually have infinite resources with 200Bn USD in the bank

- They continually prioritize features some marketing monkeys thought up - iMessage, targeted here, is the best example. Apple has really good engineers working there, I am 100% sure some of them spoke up and sad "guys, this is a bad idea there's no way to make an app API, tons of animation features, customizable emojis, customizable animations, free floating sticky notes, all secure in one big release. We need to hold off on this. but they were outvoted by the marketing monkeys ("this will sell more iphones")

- Their software process is antiquated and wasn't good when it was first invented sometime in the 80ies. That's why Avi left.
You obviously have no idea how the real world works. I'm sure even if Apple spent every cent of that $200b, there would still be an exploit somewhere (or one inadvertently created) that someone will find and use. It's human nature, nobody is perfect, and perfection is near enough impossible.

There are potentially up to 100m of lines of code in iOS / macOS, then hundreds (maybe thousands) of engineers. How could that be choreographed in the real world to be perfect? Spoiler: it's impossible.

If Apple didn't have all of these new features, who would buy the phone? If you want a phone that has security as a #1 feature priority, then go and find another vendor.

I'm fully confident in Apple's ability to secure their devices from the vast majority of attacks - this new exploit is obviously exceptionally well researched and funded far beyond the capabilities of "normal" attackers.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.