Pegasus scandal

I’m curious to know what are the views and opinions of TidBits and its community concerning the Pegasus scandal, where some nations are able to apparently take over an iPhone just by sending an iMessage?

I read some opinion pieces that argue that Apple’s security philosophy has become a burden to its users. Indeed I just don’t know what’s going on on my phone…

I tried once a utility called something like ‘Battery Monitor’ that was able to display a list of running processes (much like unix ‘top’) but it seems to have disappeared…

I’m not quite sure what you’re looking for, but I think it’s safe to say that if a nation-state wants to target you personally, they’re going to be able to do so with hacks that would never be wasted on the hoi polloi.

The fact that it’s possible for a nation-state to take over an iPhone with a message shows just how important it is that Apple focus on security—it’s not good that this exploit is possible, but at least it’s limited to nation-states and not something that garden variety criminals can use.

I wouldn’t stress about the news, which is why we didn’t cover it—no one who reads TidBITS is likely in this situation (and only getting information from us) and there’s nothing that everyday users can or need to do to protect themselves. It just feeds the paranoia flames.

Finally, I don’t think that seeing a process list of what’s running on your iPhone would make any difference in your security. This is extremely complicated stuff, and not the kind of thing that people like us are going to be able to figure out by simply looking at a list of processes.

4 Likes

Yes, it is fairly complicated indeed… Amnesty International has written about their analyses of iTunes backups, but it could be useful for sufficiently geeky people to know what is actually running.

1 Like

I agree with @ace. I don’t think it will directly affect me, but it is of critical importance to anyone who is politically active - especially if you are on the unpopular side of a major issue. We know that many journalists have been targeted by major governments - both friendly and hostile alike - for reporting things that these governments don’t want published.

According to The Guardian article, some governments (like Mexico and the UAE) are monitoring many thousands of numbers with this tool.

I’m actually quite surprised that the report didn’t indicate any significant number of targets in the US and Canada. I don’t know if this is real or just the limits of what the reporters could discover. I find it impossible to believe that these countries wouldn’t want to monitor at least some Americans and Canadians.

For most of us, I think the big news is that this is a major wake up call for Apple. Hopefully they will soon be able to find and fix the bugs that have been exploited because any security hole, once known to exist, will eventually be exploited and not only by government intelligence agencies.

1 Like

I thought I read somewhere that the hack would not work for people with a 1+ phone number (USA) but that they are vulnerable when they use phones overseas or changing sims there. I have no idea why that would be the case, though. Is there a different format we use for messaging (the break in is through a text message) here?

That the hack doesn’t work with American mobiles is probably an imposed limitation by NSO. Apparently there are no Iranian numbers on the leaked list either. (And I’ve read there are actually a few American landlines on the list, whatever that means).

My issue here is I know that if one uses some network (air, Internet, mobile phone, etc) a nation-state can always find a way to eavesdrop (hence the importance of encryption, etc.).

What I found most shocking is that they can do things with your phone you yourself cannot. Your phone is effectively jailbroken at a distance by someone else without you knowing it. This is why I referred to Apple’s security philosophy…

But I agree with @Shamino that I hope that this a wake-up call to Apple!

PS. The Amnesty International report is not very clear about this, but it seems that for the zero-click attack to work they have to modify something in the cellular network, which is of course difficult for individuals.

It’s worth keeping in mind that Apple is getting all of the attention even though android is also vulnerable. But everyone expects android to be vulnerable so that’s not worth a headline.

It’s also worth keeping an eye on things like this because ‘nation-state’ this year is ‘advanced crooks’ next year, and ‘script kiddies’ the next. Apple needs to start collaborating with other security people better instead of keeping everything in house, and they definitely need to stop being so stingy and erratic with their bug report awards. They also need to expand on providing security updates for older OSes.

2 Likes

The best attacks are used sparingly to put off their discovery. If the Pegasus attack was used widely it would have been discovered earlier. When someone, especially a nation-state, has a very sophisticated attack, they hold it close to their vests.

1 Like

That’s indeed what I would do! So then the new question becomes, why do we all know this by now? Who leaked and why?

On my garden shed is a combination lock that can be opened with a thin piece of metal shoved between the combination wheels. However, it’s probably pretty safe because I don’t think it’s worth the thief’s time and energy to break into the lock to snarf some tomato cages.

A phone contains a lot of valuable information. It has who you’ve been talking to. It knows where you’ve been. It knows where you hide. And if you’re a high enough profile figure, that information could be worth billions to someone. You need way more than a combination lock to keep that info safe.

Apple pays bug bounties as high as $1,500,000 — at least publicly. Imagine finding a bug and deciding taking it to Apple for a million and a half is just too low.

It is rumored that NSO pays tens of millions for a security hack. It also hires programmers and other tech specialists that do nothing but hunt for hacks.

I imagine for a state actor, spending tens of millions to take down a top dissident is well worth the payment. And NSO has thousands of people who are targeted by their Pegasus software. It is apparently a lucrative business and I bet there isn’t a whole lot of competition. There aren’t that many high tech experts with zero scruples out there.

Apple just released a patch they hope will stop Pegasus. At least for now. However, certain states actors are willing to pay millions to break into iPhones, so this won’t be the last story.

2 Likes

“Apple pays bug bounties as high as $1,500,000 https://www.wired.com/story/apple-hacker-iphone-bug-bounty-macos/ — at least publicly. Imagine finding a bug and deciding taking it to Apple for a million and a half is just too low.”

The actual stinginess of paying up (e.g. Michael Tsai - Blog - More Trouble With the Apple Security Bounty ) is only a part of the problem. Legitimate security people aren’t going to sell to the highest bidder anyway. But because Apple is known to be stingy and often a hassle to deal with, many people who discover serious bugs don’t do more than send a report to Apple. It takes a considerable amount of time (weeks to months) to fully document a problem and prove that it’s exploitable. If you add on top the work it’s likely to take to get Apple’s attention, and then get past the ‘oh, that’s not really a problem’ stage, it’s more than fair to be paid for that time. Few people can afford to spend weeks or months of unpaid labor for one of the richest companies on the planet. Because Apple’s reputation is poor, and because Apple doesn’t provide much if any help to researchers in the form of toolkits and special access, a lot of legitimate security researchers don’t spend much time on iOS bug hunting at all.

I’ve seen nothing about such a patch yet. It wasn’t mentioned here nor in any of the security discussions I read daily. They have patched past versions, but I doubt they’ve had time to react to the latest reports unless they were warned in advance of publishing. Would appreciate reference if you still have it.

I wish I lived in a world where 1.5 million dollars is not worth my time. :slight_smile:

It was announced as part of their security last security patch: CVE-2021-30789 was a reserved patch recently issued to Apple. This is a fairly new CVE, and its reserved with no description. It fixed a coreText vulnerability with bad font files that allowed for arbitrary code executions. Of course, no one is sure exactly what NSO used for the exploit.

There have been exploits of iMessages before. One issue is that the messages are encrypted end-to-end which means Apple is unable to see if there is an exploit in the message. Another issue is that iMessage is way more complex than you realize and uses processes like unArchiver and various other processes that contain a lot of cruft that have previously been exported. There was an earlier exploit found last year. There’s a YouTube video explaining that one and how they found the exploit.

Both Apple with iOS and Google with Android take exploits seriously, and fix them as fast as possible. The old days of an Apple exploit being around for a couple of years is long gone. The problem is as software gets more complex. I’m sure state actors (and NSO) have their backup exploits all planned out if whatever they used to use got fixed.

1 Like

Privacy died several decades ago. It’s likely been dead since WWII and certainly during the Cold War. The ABC agencies have a ridiculous amount of data they collect. It’s gotten worse since the Patriot Act and the NSA databases are now accessible by approximately 13 intelligence agencies under Obama’s administration. An additional post 9/11 measure to help agencies collaborate on stopping terrorists.

The ABC agencies also collect security exploits known as Zero-Days because no-one knows about the flaws. They keep them for when they need them to hack an intelligence target. Companies like the Israeli one also collect these exploits and sell products to law enforcement and government agencies. US companies such as Peter Thiel’s Palantir work mainly for law enforcement and the ABC agencies as well as the US military. If you read the Lord of the Rings novels you know that a Palantir is a seeing stone much like a crystal ball. Use your imagination on the sorts of services and products they provide.

I remember RIM / BlackBerry being proud they won the Saudi Arabian contract and the CEO storming off the news set when the reporter asked him about clandestine back doors within RIM’s data centers. Something the Saudi’s would certainly want so they could spy on their citizens. The CEO blubbered and stormed off the set saying it was a matter of national security. So was RIM providing the governments of Canada and the USA to access their supposedly secure back channels they claimed even they could not access? Did they have the master encryption keys to allow everything to be decrypted? Did RIM lie about their security? Was RIM going to provide those keys to the Saudi’s as well albeit in Saudi run data centers not the Canadian ones? Google was caught trying to win a contract with the CCP to help them spy on their civilians. Google employees protested it. A recent story indicated the FBI via a shadow company created their own smartphones and sold them to international criminals around the world with the promise they were extra secure. They wanted to do it in the USA but the DOJ said it was not legal. They rounded up over a thousand organized criminals around the globe in cooperation with Interpol, etc., etc., etc.

Why do you think the US ABC agencies are so pissed off at Edward Snowden? He is a whistle blower who revealed how the NSA could access any smartphone and most computers as well as network kit with ease. Microsoft, Apple, Google, Cisco, etc. all had to find the flaws and patch them. Microsoft’s SMB v1.0 exploit was ridiculously bad and had been known since forever by the NSA. It was so bad they actually released a patch for WinXP years after they said they would release no more patches.

There’s not much you can do except go off the grid entirely. We are completely at the mercy of our governments to do the right thing.

I think it’s because he’s a traitor, a defector, a thief, a liar, and a coward. But I admit to having a bias. Service Medallion, Obverse and Reverse | On this 20th annive… | Flickr

2 Likes

I’m not so shocked by the attempts from all sides to hack things or snoop on communications, that seems to be the way it is. But what I think does merit some discussion is Apple’s security philosophy for iOS (and iPadOS, and maybe MacOS also, I’m a couple of updates behind). On a Mac one reigns (in theory) sovereign. As a superuser I can peek and poke wherever I want (if only I knew what to do with this power). On an iOS device, however, we cannot but trust Apple. So far my idea was that if I cannot get into my phone, it will even be harder for someone else (if someone gets into my Mac, it is probably due to some security lapse by myself). But the Pegasus scandal shows that Apple cannot guarantee their (implicit) promise. So in the end wouldn’t we be better off with a more ‘open’ device?

Have you read Apple’s Platform Security Guide?

https://support.apple.com/guide/security/welcome/web

It’s extremely useful and fairly detailed, but the reason I bring it up is that I think it shows just how mind-bogglingly complex security systems are. I just can’t believe that 99% of Apple users would be able to understand even the Platform Security Guide, much less be able to evaluate what’s happening on an Apple device at an extremely low level (and interested enough to bother).

If you don’t trust Apple, you shouldn’t buy Apple devices, and the same goes for Google and Microsoft and Amazon. The best operating system for someone who doesn’t trust anyone is probably some flavor of Linux.

2 Likes

@ace Well, I do have a couple of Linux machines, but I confess I trust them even less than my Apple things… I don’t do financial things on them, for instance. From what I understand, achieving a zero-click hack is not so easy even for NSO. But my question still is whether it is a good philosophy to relinquish all control… (A bit like this right-to-repair discussion that’s going on elsewhere)