Malware Sold To Governments Helped Them Spy on iPhones (washingtonpost.com)

← Back to Stories (view on slashdot.org)

Malware Sold To Governments Helped Them Spy on iPhones (washingtonpost.com)

Posted by msmash on Thursday August 25, 2016 @06:04AM from the big-brother dept.

One of the world's most evasive digital arms dealers is believed to have been taking advantage of three security vulnerabilities in popular Apple products in its efforts to spy on dissidents and journalists, reports The New York Times. (Editor's note: the link could be paywalled, here's an alternate source). From the report: Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target's mobile phone, was responsible for the intrusions. The NSO Group's software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user. In response, Apple on Thursday released a patched version of its mobile software, iOS 9.3.5. Users can get the patch through a normal software update.The Washington Post reports that these "zero-day" flaws were previously used by the governments to take over victims' phones by tricking them into clicking on a link to a text message. Motherboard says that this is the first time anyone has uncovered such an attack in the wild. "Until this month, no one had seen an attempted spyware infection leveraging three unknown bugs, or zero-days, in the iPhone. The tools and technology needed for such an attack, which is essentially a remote jailbreak of the iPhone, can be worth as much as one million dollars."

31 comments

Min score:

Reason:

Sort:

Richard Stallman right again by JoeyRox · 2016-08-25 06:18 · Score: 5, Insightful

Every time Richard talks about closed-source phones being used to surreptitiously track users' movements, take photos, and listen in on their conversations he sounds like a madman. But he's right.
1. Re:Richard Stallman right again by SadButResolved · 2016-08-25 06:24 · Score: 1
  
  He isn't mad, I'm sure you all will catch up to him at some point, he is just way ahead of you when he talks.
  Hmm, Stalin's wet dream, hmmm, who else would love that kind of power and also gave the telco's immunity to prosecution. Hmm...
  Wouldn't surprise me if you find Soros funds the firm that bought these hacks off the dark web and weaponized them.
2. Re:Richard Stallman right again by npslider · 2016-08-25 06:29 · Score: 1
  
  Closed source, open source, half-way open source - they all have holes the size of the Titanic, and are casing our privacy to sink to the bottom of the ocean. We have burned our life rafts and strapped ourselves to the deck. The problem is our dependence on these "conveniences" we can now not live without.
3. Re:Richard Stallman right again by npslider · 2016-08-25 06:35 · Score: 1
  
  Wouldn't surprise me if you find Soros funds the firm that bought these hacks off the dark web and weaponized them.
  I agree.
  But I have a question: What is Soros' end game? What goal is he striving to reach?
  The dude's old and rich, what gets him out of bed in the morning? I know many say he eats green eggs and evil for breakfast, lunch, and dinner, but to what end?
  I ask, because I do not know, not because I do not believe it.
4. Re:Richard Stallman right again by NatasRevol · 2016-08-25 06:45 · Score: 2
  
  Well, with open source phones, you don't have to do that surreptitiously.
  
  --
  There are two types of people in the world: Those who crave closure
5. Re:Richard Stallman right again by Anonymous Coward · 2016-08-25 08:18 · Score: 0
  
  It is to late for "open source" to be able to improve anything at this moment. The bad actors, both the selfish greedy assholes and the totalitarian bastards, are everywhere. Literally everywhere, in all levels of our society, government and corporations. besides compromising source-code, they can, and will, corrupt design, concepts, architectures, protocols, standards, algorithms, hardware, etc, etc.
  We are at a point were you must assume everything is compromised. The only option is not to entrust really important information to a device that can communicate with the outside world.
  If this sounds paranoid to you, then you have never been a target of a competent secret service and you are apparently of no consequence to anyone important.
6. Re:Richard Stallman right again by Anonymous Coward · 2016-08-25 08:48 · Score: 0
  
  You don't even know the devil's real name, what makes you think you know what he looks like?
7. Re: Richard Stallman right again by Anonymous Coward · 2016-08-25 08:56 · Score: 0
  
  He's evil because he's a "liberal" rich guy, woooooooooooooo :-O ... Tons of rich fckers on right co funding almost every race in America, a straight up propaganda 'news' channel in the form FOX news acting as their mouthpiece. And a few lonely rich dudes on the left and most of Hollywood giving the Dems a fraction what the Republicans got and yet they are 'evil'??? There's no comparison... I hate the Dems and would never vote for them, but this obsession with George Soro by the right is ridiculous...
8. Re:Richard Stallman right again by tlhIngan · 2016-08-25 19:29 · Score: 1
  
  Every time Richard talks about closed-source phones being used to surreptitiously track users' movements, take photos, and listen in on their conversations he sounds like a madman. But he's right.
  Yes, he is. That's why this malware sold for $5 million for 300 installs ($16,667 per install). And Android ones go for practically nothing.
  That's the problem with iOS - Apple can offer a $200,000 bug bounty, which is among the most generous in the business that beats the $25k or $10k offered elsewhere. But even that isn't enough when people are paying MILLIONS for an iOS exploit.
  So yes, iOS sucks because you need to ante up millions of dollars for security holes, and Android is far better because you can get 'em for free.
  Hell, at these rates, the NSA could probably pay off the national debt auctioning off their iOS exploits.
The tipping point by npslider · 2016-08-25 06:24 · Score: 2

The more we depend on technology, the more vulnerable we become to those that use it to erode our freedoms and privacy. I enjoy the benefits of using technology, it has made many things more convenient, and has also stolen more of my time than I care to admit...
It seems though, that now, no matter where you are, and who you are, the leash attached to our connected technology is tied to an increasingly meaner and nastier junk yard dog that is very hungry.
waiter waiter! by Anonymous Coward · 2016-08-25 06:38 · Score: 0

waiter waiter, theres a jew in my freedoms!!!
Convenience for ALL by mi · 2016-08-25 06:39 · Score: 1

Closed source, open source, half-way open source - they all have holes the size of the Titanic, and are casing our privacy to sink to the bottom of the ocean.
Are you trying to say, governments haven't spied on and persecuted opponents before these modern-day conveniences appeared?

The problem is our dependence on these "conveniences" we can now not live without.
We can live without them, but the life will be, wait for it, less convenient.
They make living more comfortable. For everyone — including the spies.

--
In Soviet Washington the swamp drains you.
1. Re:Convenience for ALL by npslider · 2016-08-25 06:52 · Score: 1
  
  Are you trying to say, governments haven't spied on and persecuted opponents before these modern-day conveniences appeared?
  Yes, yes they have. But, never has it been easier. Modern "smart devices" are like having a KGB agent in every home, office, and bathroom.
  
  We can live without them, but the life will be, wait for it, less convenient.
  "Less convenient" these days is fast approaching "Impossible to live without" - practically the definition of addiction.
  
  They make living more comfortable. For everyone — including the spies.
  This makes spying much easier.. for the spies.
2. Re:Convenience for ALL by geek · 2016-08-25 07:05 · Score: 0
  
  Yes, yes they have. But, never has it been easier. Modern "smart devices" are like having a KGB agent in every home, office, and bathroom.
  Mr. Madison, what you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.
3. Re:Convenience for ALL by npslider · 2016-08-25 07:12 · Score: 1
  
  Your microphone has recorded your words.
  Your not really encrypted messages have been stored.
  Your location has been logged.
  Your search history has revealed your preferences.
  This took mere seconds. Agents of old needed days.
  This is progress gentlemen. Embrace it.
Apple Just Released an Update to Address This by lawyer+boy · 2016-08-25 06:46 · Score: 2

http://arstechnica.com/apple/2...
1. Re:Apple Just Released an Update to Address This by Anubis+IV · 2016-08-25 07:22 · Score: 1
  
  It's seriously frustrating how one-sided the reporting is here. Summaries like these blast Apple while failing to state the obvious: that Apple has already patched...
  What's that? They did mention it in the summary?
  Oh. Uhh...what was I complaining about again? What was the point of your post in the first place?
2. Re:Apple Just Released an Update to Address This by lawyer+boy · 2016-08-25 07:50 · Score: 2
  
  The summary didn't have a link to the update and the FA had the update information several paragraphs down from the top. I just wanted to highlight the fact that an update was out there and link to a short announcement that had the relevant information. I did not offer any commentary or complaint as to bias or quality re: the summary.
3. Re:Apple Just Released an Update to Address This by Anonymous Coward · 2016-08-26 01:23 · Score: 0
  
  What was the point of your post in the first place?
  Why does their patching make this less news? Yesterday, this vulnerability was not patched. Today, tomorrow's vulnerability is not patched. There are probably still vulnerabilities like this in your iPhone that are being used against someone, right now. I don't care how this drama applies to Apple because I'm the main character here, not them.
  I know a part of you must understand this. I think we are all in denial. We are provided with a ritual to perform, installing patches, but it protects you against little besides bad ads and crapware. The attacks that change our social structure are only partially addressed by patching rituals. If the government oppressing you is the same one that targeted Martin Luther King, then praying to Jesus would be more useful than patching.
iOS isn't really the problem.. by Anonymous Coward · 2016-08-25 06:52 · Score: 0

"[...] tricking user to click link in SMS" In other words, PEBKAC.
1. Re:iOS isn't really the problem.. by tattood · 2016-08-25 07:22 · Score: 1
  
  PEBKAC? There's no keyboard or chair involved in text messaging. I think you are referring to the ID-10-T error.
  
  --
  WTB [sig], PST!!!
Constitutional Amendment by Anonymous Coward · 2016-08-25 07:14 · Score: 1

Maybe it's time to pass a new Constitutional Amendment:
1. Requires all government agencies (public or secret) to disclose all vulnerabilities known or discovered; immediately to the vendor of the product, and after 30 days to the public at large.
2. Requires the government to immediately break all treaties with countries whose government policy AND practice does not include #1.
1. Re:Constitutional Amendment by jfdavis668 · 2016-08-25 08:29 · Score: 1
  
  Which countries constitution are you referring to?
Remeber when... by OfficeLackey · 2016-08-25 07:37 · Score: 1

Remember back in the day when law enforcement abided by laws and followed evidence using people called "detectives" to prevent or solve crimes. No wonder reruns of The Shield, Law and order and all those CSI shows don't make sense to my kids.
1. Re: Remeber when... by Anonymous Coward · 2016-08-25 10:48 · Score: 0
  
  The shield is about corrupt detectives, csi contributes to juror sleuthing(no way, they totally can recover dna from a burnt cigarette butt if they thought it was arson), like law and order major crime s with vincent donofrio and eames
correction: click on a link \*in\* a text message by blibbo · 2016-08-25 08:56 · Score: 1

... Pedantic, but it effects the readability and meaning (mistake in summary not article).
keeping pace with government trends by Anonymous Coward · 2016-08-25 10:42 · Score: 0

Some us gov agencies heaved crackberries for iphones so someone is casting a wide net perhaps
One word: Replicant by Ungrounded+Lightning · 2016-08-25 11:03 · Score: 1

Replicant
Android. Fork of Cyannogen Mod that is fully Open source. Even the drivers and firmware. Latest phone supported is the international version of the Galaxy S III (I9300) (2G and 3G but no 4G LTE). (Note: The U.S. version of Galaxy S III is a different motherboard and chip - the same model number on a different device.)
Stable release is a couple years old (4.2) due to thinning of the development crew. But the project got new blood (post-Snowden) and a 6.0 port (for the 19300 so far) is in alpha.
Some devices (WiFI, Bluetooth, user-facing camera) require closed firmware, which you can load separately. (It's supported but not distributed with the base distribution.
Some (3-D graphics acceleration, GPS) are just not supported. (Use 2-D graphics and, if you really want your phone to know where you are, a plugin GPS device based on a different chip.) GPS is not supported because the phone's GPS chip also requires a proprietary CPU-land driver, which is an open-source no-no.

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Same model NAME! by Ungrounded+Lightning · 2016-08-25 11:05 · Score: 1

Latest phone supported is the international version of the Galaxy S III (I9300) ... Note: The U.S. version of Galaxy S III is a different motherboard and chip - the same model number on a different device.
The same model NAME on a different device. Model number is different, which is how you tell for sure you got the right one.

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Re:One word: Replicant by farble1670 · 2016-08-25 11:17 · Score: 2

"Replicant is a fully free Android distribution running on several devices ...
Several? Wow.
Curious though how you think the fact that it's OSS means it won't have any zero day flaws. Because, the OSS community is spending it's nights and weekends statically analyzing this particular OSS project?

Some (3-D graphics acceleration, GPS) are just not supported. (Use 2-D graphics and, if you really want your phone to know where you are, a plugin GPS device based on a different chip.) GPS is not supported because the phone's GPS chip also requires a proprietary CPU-land driver, which is an open-source no-no.
No 3-d graphics? No GPS? Plugin a GPS dongle? The awesomeness continues.
If you are an interesting person by AHuxley · 2016-08-25 13:39 · Score: 1

What are you still doing using an Apple product years after PRISM?
The cost of collect it all access is down from NSA, GCHQ budgets to been per case cheap for a city, state or local gov task forces.
If you have to have a new cell phone to be part all local culture, be seen with it as a no battery fashion accessory.
A never powered decoy phone seen in surveillance images could induce a sneak and peak investigation uncovering gov interest that the phone.
Tracking a networked phone is easy nationally, having a van or car drive up and team enter a home to find a mystery phone is more difficult to hide in very closed communities. A few strangers that don't fit the area at the front door with "keys", down the side of a home or in the back yard will often not go unnoticed by the local community.
Too many contractors, ex mil, ex gov staff have the keys to phone networks and consumer grade telco ready OS's.
The ability to push malware, track from servers is a great service to rent per investigation to any level of city, state, federal government.

--
Domestic spying is now "Benign Information Gathering"