Israeli Security Firm Claims Spyware Tool Can Harvest iCloud Data in Targeted iPhone Attack

[laz232]

The current Iraqi and Afghan government agree with the war on terror and aid the US. The prior governments, of a deposed leader and a relatively lawless country, respectively, didn't meet your current ideals.

You may want to re-read history and look who kept Saddam Hussain in power and provided him with weapons: hint the USA. See also: the Taliban in their fight against the USSR.

Post Iraq war 2 and post Taliban the government is effectively a puppet of the USA - note the size of the US "embassy" in Iraq "At 104 acres (42 ha), it is the largest and most expensive embassy in the world... over ten times the size of the U.S. Embassy in Beijing, which is the third largest U.S. diplomatic mission abroad."

 

[0388631]

You may want to re-read history and look who kept Saddam Hussain in power and provided him with weapons: hint the USA. See also: the Taliban in their fight against the USSR.

The US supplied Iraq during the Iran-Iraq war. Soon after the war, Iraq was unable to pay back loans and really didn't want to. They half-assed an invasion into Kuwait which triggered the first Gulf War. The CIA trained and gave weapons to Colombian paramilitaries who later formed FARC. Today FARC is considered a terrorist group. What's your point? That once an ally must always be an ally? No. That's not how it works. Iran was our ally, too. Look what happened. Don't try to teach me about history when you know nothing.
[doublepost=1563626468][/doublepost]

Post Iraq war 2 and post Taliban the government is effectively a puppet of the USA - note the size of the US "embassy" in Iraq "At 104 acres (42 ha), it is the largest and most expensive embassy in the world... over ten times the size of the U.S. Embassy in Beijing, which is the third largest U.S. diplomatic mission abroad."

There is no post-Taliban. The Taliban is as active and vibrant as ever. The Taliban has sat down with US Military leaders to cease their overt activities. Once we leave Afghanistan, the Taliban will take over in the ensuing power vacuum. The current Afghan army is poorly trained despite having receiving training from the US and UK. They have equipment, which corrupt officers sell to the Taliban. The US has limited jurisdiction in Afghanistan these days.

The US embassy in Iraq has staff from various allied nations, not just Americans. Most non-essential staff were asked to leave not long ago due to threats from Iran. These non-essential staff have yet to return.


https://nypost.com/2019/05/15/us-orders-non-essential-embassy-staff-to-leave-iraq/

 

[haruhiko]

Or, how about use by Western Democracies to track and place whistleblowers in jail? Whatever you may think of the specifics in, for example, https://en.wikipedia.org/wiki/Russ_Tice, https://en.wikipedia.org/wiki/William_Binney_(intelligence_official), https://en.wikipedia.org/wiki/Chelsea_Manning
One has to be completely blind and naive to believe that governments always act in the best interests of it's citizens - even in the USA / Europe.

Yes, I was about to mention the poor Mr. Manning.

 

[0388631]

Yes, I was about to mention the poor Mr. Manning.

Manning released classified video of a strike. In what world is that okay?

 

[I7guy]

You are sadly mistaken. Literally just this past week were more reports of the NSA wiretapping everday American citizens without warrants - no barriers whatsoever.

I must have missed this in the evening NY Post.

Snowden released thousands and thousands of documents, basically he said any phone in existence can be tapped, cracked and listened in on. It makes no difference who manufactures it. He also recommended uninstalling Facebook and all forms of social media, and up to and including covering microphones and cameras on laptops and smartphones.

We've been conditioned to believe with the snap of the fingers the gov't can hack our phone in a matter of milliseconds. It's a cat and mouse game at this point, but I don't expect my phone to be safe if the gov't takes it. But i'm also not covering my mic and camera.

He released thousands of pages documenting how the microphone has been used by apps even when denied permission or the phone is locked — to spy on you and serve you targeted advertisements.

Maybe things might have changed in the years since he released those documents?

No phone or phone user is safe. It is literally a psychological fallacy designed to keep you with a false sense of security. You cannot have a smartphone and be secure.

That's the psychological fallacy that the government can hack anything, anytime in the snap of their fingers.

 

[wigby]

Not surprised, encryption of iCloud communication and storage has been a frequently mentioned topic. If Apple gets on full encryption, we would all be better off.

If Apple did end-to-end encryption in the iCloud, they would be better off but not the users who lost or forgot their passwords. That's the only reason Apple doesn't go full end to end.

 

[shplock]

Not surprised, encryption of iCloud communication and storage has been a frequently mentioned topic. If Apple gets on full encryption, we would all be better off.

Also, can we talk about how Apple isn’t offering iCloud Mac backups yet? Think of how much $ they are leaving on the table. Actually, I’m shocked they aren’t ready for this yet, they would be raking in the cash from people upgrading their storage to do backups.

That is only a good idea if the user has a decent internet speed and even then the upload speed will be a lot slower than the download speed.
It is bad enough uploading to iCloud for my documents, uploading a whole system would take forever even on a fast speed of 200+mb/s.
[doublepost=1563639152][/doublepost]

If encrypted iCloud Mac Backups were available, I would instantly upgrade my iCloud Plan to 1TB. This would be awesome

Only if you have an extremely fast upload speed which most people tend not to have and even then with most systems averaging in the many gigabytes it would take forever.
[doublepost=1563639257][/doublepost]

As they are a company in a fairly western democracy, that will be regularly audited by both government and private regulators and accounting firms, the liklihood of what you're claiming is probably low.

however. One of their customers "leaking" or being hacked ad having it stolen? Probably high.

Like almost all security exploits, once it's discovered by one team, the cat is out of the bag and others will likely follow and repeat the exploit.

except that the article mentions how a Lawyer working on behalf on a client making a complaint against the group got spied upon by the group itself. SO it seems that the likelihood is actually extremely high and the group's claims are pure BS.
[doublepost=1563639413][/doublepost]

What a bold statement, do you have knowledge of each and every country in the world, did you live in other countries for an extended period of time, if so you must be the almighty allknowing god.
Please enlighten us...



Guess what, not all governments suck.

As for the article, I have my doubts, serious doubts.

Read up on what Snowden told us all. Hint: He mentioned the US government.
The notion then that the western democratic free world always acts pure of heart is a falsehood.

 

[grad]

One has to be completely blind and naive to believe that governments always act in the best interests of it's citizens - even in the USA / Europe.

Let me correct that for you.

One has to be completely blind and naive to believe that governments always act in the best interests of it's citizens - even especially in the USA / Europe.

Anyway, the problem is not just evil governments spying on their citizens but spying on the citizens from other countries.

 

[NickName99]

People are overthinking this. It's a security exploit, Apple can patch it like any other security exploit.

 

[bandalay]

By now I think its general knowledge not to upload anything you don't want other to look at to the cloud no matter how "secure" or "encrypted" it is...just a matter of time.



Have you thought that it is not a pleasurable experience to upload 500GB to the cloud, and restore it back down? You are much better off with a USB3 1TB $60 HDD. Not to mention things like cap limit by ISPs.

But then your house burns down, and its all gone-zo…d'oh!

 

[lederermc]

If encrypted iCloud Mac Backups were available, I would instantly upgrade my iCloud Plan to 1TB. This would be awesome

Can you not put your iCloud documents into an encrypted sparse bundle?

 

[coolfactor]

Not surprised, encryption of iCloud communication and storage has been a frequently mentioned topic. If Apple gets on full encryption, we would all be better off.

iCloud data is stored in an encrypted format, but Apple holds the keys to the server-side encryption (not for your device). That's the main concern. We need to move to a model where only the user holds the keys. That requires a completely different architecture, and opens a big can of worms if users were to lose their devices, etc. They'd also lose their data on the server-side.

As a system administrator, I have great admiration for the sheer complexity of what Apple is managing with iCloud. It works extremely well in general practice. These companies and organizations that attempt to break encryption and gain access to data only manage to make Apple look incompetent in the average joe's eyes, but they are not. This is just highly complex stuff and it will always be a cat-and-mouse game.
[doublepost=1563653731][/doublepost]

Guessing Apple hasn't done end to end iCloud encryption, both for the fact that they need to rescue users (probably constantly), but probably also from pressure from the U.S. government (so they can have Apple unlock people's iCloud stuff with a warrant) - remember when the U.S. govt was putting all this pressure on Apple about encryption and then they just basically stopped - guessing a gentleman's agreement took place with Apple saying they wouldn't E2E iCloud if the U.S. Govt backs off.

Don't put up anything into iCloud you wouldn't want to be hauled out into a court of law for any reason. For privacy's sake, just back up locally with encryption (which iTunes still supports) and your good. If your worried about your messaging use Signal or maybe Wickr. JMHO

Let's clear up a few things.

1. Messages/iMessage supports full end-to-end encryption. This is known. It's only when you begin using iMessage in iCloud that the level of protection becomes weakened because now the server needs to participate in the messaging, too. It's essentially another participant that needs to hold the keys to the conversations.
2. All data is fully encrypted on iCloud servers, and encrypted connections are used between all devices (Macs, iPhones, etc.).
3. The issue is that Apple holds the keys to the data stored on iCloud servers, allowing them to de-crypt it at will. The data is still encrypted, though. It's not sitting there in plain-text, readable format. That would be asinine and very irresponsible of Apple.

 

[Omega Mac]

It's always Israel, Russia, North Korea, or China. Why do we let them have access to our communications infrastructure?

You're getting hotter, think about that line up a bit more, current context, all that has gone on... notice anything new?

 

[Crowbot]

You're getting hotter, think about that line up a bit more, current context, all that has gone on... notice anything new?

IJC?

 

[Osamede]

You're getting hotter, think about that line up a bit more, current context, all that has gone on... notice anything new?

Political “donations”. And it’s not new.

 

[jonblatho]

If you use 'Documents in the cloud' then your Mac is effectively backed up already.

I have files on my Mac almost everywhere except the Desktop and Documents folders, which are the only ones supported by iCloud Drive for automatic syncing.

 

[jonblatho]

It's only when you begin using iMessage in iCloud that the level of protection becomes weakened because now the server needs to participate in the messaging, too. It's essentially another participant that needs to hold the keys to the conversations.

Incorrect; the server is never an additional participant in that sense. Messages in iCloud remains end-to-end encrypted (it just uploads and syncs the Messages database) and can only be decrypted with per-device encryption keys. If you have iCloud Backup enabled, those per-device encryption keys are stored in the backup and thus your messages can be decrypted. If you back up locally (or, of course, never back up at all), this isn't the case.

If you don't believe me, reset your iPhone (or other iOS device) and don't restore from a backup, sign into iCloud and iMessage, then watch carefully as your messages never appear. That's because the iMessage encryption key changed when you reset the phone; it can't be used to decrypt the pre-existing messages.

 

[4jasontv]

They avoid lawsuits because they would have to go through a discovery process (mandated by the court) where each side is required to answer detailed questions about the case for the opposing lawyers. Apple would end up revealing a lot of proprietary information.

Also, I don't think that is something they really want tested in court. All you need is a judge to say "people can do whatever they want with things they buy" and suddenly the "made for iphone" badge becomes a lot less compelling.
[doublepost=1563669473][/doublepost]

I have files on my Mac almost everywhere except the Desktop and Documents folders, which are the only ones supported by iCloud Drive for automatic syncing.

People who have icons on their desktop give me anxiety. Apple should not be encouraging people to leave documents on their desktop.

 

[fairuz]

You are sadly mistaken. Literally just this past week were more reports of the NSA wiretapping everday American citizens without warrants - no barriers whatsoever.

Snowden released thousands and thousands of documents, basically he said any phone in existence can be tapped, cracked and listened in on. It makes no difference who manufactures it. He also recommended uninstalling Facebook and all forms of social media, and up to and including covering microphones and cameras on laptops and smartphones.

He released thousands of pages documenting how the microphone has been used by apps even when denied permission or the phone is locked — to spy on you and serve you targeted advertisements.

No phone or phone user is safe. It is literally a psychological fallacy designed to keep you with a false sense of security. You cannot have a smartphone and be secure.

He published papers on the NSA being a "man in the middle" or spying through hacking. There's no evidence that they can, say, break an HTTPS connection between me and some server. Nor is there evidence of them having backdoors into every smartphone, but they'll try their best to get in, just like any criminal can. The US gov't can force companies to access customers' datas from servers, though. I'm not saying it's not scary.

Wiretapping should probably be unconstitutional, but somehow in these cases they've justified it. That is, the NSA isn't going rogue in doing it. Anyway, I was replying about the offshore prisons.

 

[stylinexpat]

iCloud data is stored in an encrypted format, but Apple holds the keys to the server-side encryption (not for your device). That's the main concern. We need to move to a model where only the user holds the keys. That requires a completely different architecture, and opens a big can of worms if users were to lose their devices, etc. They'd also lose their data on the server-side.

As a system administrator, I have great admiration for the sheer complexity of what Apple is managing with iCloud. It works extremely well in general practice. These companies and organizations that attempt to break encryption and gain access to data only manage to make Apple look incompetent in the average joe's eyes, but they are not. This is just highly complex stuff and it will always be a cat-and-mouse game.
[doublepost=1563653731][/doublepost]

Let's clear up a few things.

1. Messages/iMessage supports full end-to-end encryption. This is known. It's only when you begin using iMessage in iCloud that the level of protection becomes weakened because now the server needs to participate in the messaging, too. It's essentially another participant that needs to hold the keys to the conversations.
2. All data is fully encrypted on iCloud servers, and encrypted connections are used between all devices (Macs, iPhones, etc.).
3. The issue is that Apple holds the keys to the data stored on iCloud servers, allowing them to de-crypt it at will. The data is still encrypted, though. It's not sitting there in plain-text, readable format. That would be asinine and very irresponsible of Apple.

The user would need to make and keep a backup copy of the keys some where on their own external space. If they lost the copy of the keys then that would be their own problem. Perhaps Apple could give user two choices where they could use Apple’s system and keys and risk sharing what ever they have with Apple with who ever Apple may share info with or keep backup file copies on their own end at their own responsibilities. This should be very easy for Apple to implement into the OS
[doublepost=1563671185][/doublepost]

It's always Israel, Russia, North Korea, or China. Why do we let them have access to our communications infrastructure?

It’s whom we share with and whom we don’t. It is also whom gets to work where and whom does not. Whom has dual citizenships and whom does not. Security clearance for some countries seems to have gone rather lax these days for some odd reason..

Israel does not like human rights activists and defenders but they’re not alone. China does not either and neither does Saudi Arabia,Russia,North Korea,China,UAE,Syria, Cambodia,Myanmar,And Thailand amongst others just to name a few.

https://www.trtworld.com/magazine/i...pp-to-spy-on-human-rights-defenders-26643/amp

 

[gavroche]

This claim makes no sense at all. If they had the capability to do this, why on earth would they call attention to it. It would just accelerate the hole being closed. They would be better off milking it as long as possible. Something else going on here...

 

[fairuz]

Incorrect; the server is never an additional participant in that sense. Messages in iCloud remains end-to-end encrypted (it just uploads and syncs the Messages database) and can only be decrypted with per-device encryption keys. If you have iCloud Backup enabled, those per-device encryption keys are stored in the backup and thus your messages can be decrypted. If you back up locally (or, of course, never back up at all), this isn't the case.

If you don't believe me, reset your iPhone (or other iOS device) and don't restore from a backup, sign into iCloud and iMessage, then watch carefully as your messages never appear. That's because the iMessage encryption key changed when you reset the phone; it can't be used to decrypt the pre-existing messages.

I can confirm this. Apple also describes this all in detail on their site. One thing, Apple still has the ability to man-in-the-middle attack end-to-end encrypted communications if they really want to since clients trust Apple as the public key exchange.

 

[fairuz]

It's always Israel, Russia, North Korea, or China. Why do we let them have access to our communications infrastructure?

What infrastructure exactly? The US has strict export laws. Widely-available encryption methods like TLS are treated as munition. It's futile.

 

[0388631]

What infrastructure exactly? The US has strict export laws. Widely-available encryption methods like TLS are treated as munition. It's futile.

TLS isn't and wasn't considered a munitions. The laws you cite are pre 1996 and were severely relaxed by Clinton and then more a few years later. Barring custom cryptography, export of AES and RSA is legal. These technologies are readily available anywhere and doesn't take a software company to develop them.

 

[fairuz]

TLS isn't and wasn't considered a munitions. The laws you cite are pre 1996 and were severely relaxed by Clinton and then more a few years later. Barring custom cryptography, export of AES and RSA is legal. These technologies are readily available anywhere and doesn't take a software company to develop them.

Ok, for whatever reason, Apple still makes you send a classification report to the US government if you produce an iOS app that uses TLS.