Report: Pegasus Spyware Sold to Governments Uses Zero-Click iMessage Exploit to Infect iPhones Running iOS 14.6

[InGen]

iPhones have been lumped into the affected devices from this hack but to what ratio of the infected devices were Android vs Apple? Amongst the Apple devices, how old were the devices and iOS versions being affected?

I can't imagine that newer iPhone models and newer iterations of iOS are being affected with such ease. Especially a no-click infection. Knowledge of this company and it's practices has been floating around for many years. Surely Apple has studied various infected devices to understand the mechanism at work and patched it internally. Alternatively, it would surprise me less if Apple and this Israeli company have engaged in internal dialogue about to what degree Apple devices are able to be infected and to what extent Apple devices are prone to this level of surveillance.

Apple has fiercely defended it's IP and it's Terms of Use in the past. The blatant abuse by tools of this nature especially as a for-profit enterprise between a company and oppressive governments goes in the face of everything Apple stands for, and if it were true to the extent these articles suggest, Apple would have issued a statement addressing it, or visibly taken the entity responsible for it to the courts.

 

[Khedron]

iOS 14.7 is around the corner and will be released this week. I don't think Apple has to worry about it.

Android can't say much on their behalf.

14.7 contains the new technology that allows its features to travel back through time and correct existing data leaks?

 

[123]

a good question; what makes you think that "not many people outside the United States use iMessage"

Fact (there have been numerous threads about this). 1) iMessage traditionally has sucked feature-wise 2) As soon as you have many Android users, your groups are WhatsApp-based.

The question is rather: is it relevant? All users, whether they use iMessage or not, have it installed.

 

[Khedron]

iPhones have been lumped into the affected devices from this hack but to what ratio of the infected devices were Android vs Apple? Amongst the Apple devices, how old were the devices and iOS versions being affected?

I can't imagine that newer iPhone models and newer iterations of iOS are being affected with such ease. Especially a no-click infection. Knowledge of this company and it's practices has been floating around for many years. Surely Apple has studied various infected devices to understand the mechanism at work and patched it internally. Alternatively, it would surprise me less if Apple and this Israeli company have engaged in internal dialogue about to what degree Apple devices are able to be infected and to what extent Apple devices are prone to this level of surveillance.

Apple has fiercely defended it's IP and it's Terms of Use in the past. The blatant abuse by tools of this nature especially as a for-profit enterprise between a company and oppressive governments goes in the face of everything Apple stands for, and if it were true to the extent these articles suggest, Apple would have issued a statement addressing it, or visibly taken the entity responsible for it to the courts.

In case you haven’t noticed, these days Apple openly admits how it cooperates with oppressive governments by turning off privacy features they don’t like and providing data on users.

 

[123]

In addition to iMessage, are there any other messaging systems that are targeted? Say WhatsApp / Telegram / Signal?

These apps are walled-off. Only Apple software gets the special treatment to be allowed to not follow normal rules and tightly integrate into the OS itself.

 

[macgabe]

Journalists, lawyers, and human rights activists around the world have been targeted by authoritarian governments using phone malware made by Israeli surveillance firm NSO Group, according to multiple media reports.

An investigation by 17 media organizations and Amnesty International's Security Lab uncovered a massive data leak, indicating widespread and continuing abuse of the commercial hacking spyware, Pegasus, which can infect iPhones and Android devices and enable attackers to extract messages, emails, and media, and record calls and secretly activate microphones.

The leak contains a list of over 50,000 phone numbers that are believed to have been identified by clients of NSO as possible people of interest. Forbidden Stories, a Paris-based nonprofit media organization, and Amnesty International had access to the leaked list and shared that access with media partners as part of reporting consortium the Pegasus project. Forensic tests on some of the phones with numbers on the list indicated that more than half had traces of the spyware.

The company behind the software, NSO, denies any wrongdoing and claims its product is strictly for use against criminals and terrorists, and is made available only to military, law enforcement and intelligence agencies.

In a statement given to media organizations in response to the Pegasus project, NSO said the original investigation which led to the reports was "full of wrong assumptions and uncorroborated theories."
In an earlier version of the spyware, surveillance activity depended on the phone user clicking on a malicious link sent to them in a text or email (so-called "spear-phishing"). However, the most recently discovered version doesn't require interaction from the user and can instead exploit "zero-click" vulnerabilities – bugs or flaws in the OS – to succeed.

For example, Amnesty's Security Lab and Citizen Lab found an iPhone running iOS 14.6 could be hacked with a zero-click iMessage exploit to install Pegasus. Apple has been contacted for comment and we'll update this article if we hear anything.

https://twitter.com/i/web/status/1416801637104902146

Meanwhile, media organizations involved in the project plan to reveal the identities of people whose number appeared on the list in the coming days. They are said to include hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials. Disclosures which began on Sunday have already revealed that the numbers of more than 180 journalists are already known to be among the data.

WhatsApp sued NSO in 2019 after it alleged the company was behind cyber-attacks on thousands of mobile phones involving Pegasus. NSO denied any criminal wrongdoing, but the company has been banned from using WhatsApp.

Article Link: Report: Pegasus Spyware Sold to Governments Uses Zero-Click iMessage Exploit to Infect iPhones Running iOS 14.6

There's too much auto-redirecting in iOS in general. Half the links I try to open prompt an app opening, often automatic, a calendar request, or a phone call, a YouTube video. One of the most annoying is a Safari web page which auto opens the Amazon or Reddit app, and then next time you open Safari, impossible to open a new page and you're down the rabbit hole of opening and closing apps and pages before you can even start. Or a game app which opens a Safari page. Apple wages war on Facebook pixel and Google cookie, but does little about apps bad behaviour. The exception is links to Apple Music, the Apple Store, Apple TV or Apple News. Those links never seem to work, even if they're sent by Apple.

 

[HacKage]

iOS 14.7 is around the corner and will be released this week. I don't think Apple has to worry about it.

Android can't say much on their behalf.

The protections were meant to be in place from 14.0, and currently everyone with an iPhone on the latest OS is vulnerable to this attack.

Forget what the neighbours are doing, Apple need to get their own house in order.

 

[LV426]

The Guardian are taking a good lead on investigating this.

Anybody who trots out the old mantra about nothing to fear if you've nothing to hide really needs to watch the video in the link.

I'm sure that Apple will be doing their best to squish all the zero days they find out about, but I'd bet my bottom dollar that the Israeli firms behind these malware cracks have numerous zero days at their disposal - it's their bread and butter business, after all.

 

[genovelle]

“However, the most recently discovered version doesn't require interaction from the user and can instead exploit "zero-click" vulnerabilities – bugs or flaws in the OS – to succeed.”
“can infect iPhones and Android devices and enable attackers to extract messages, emails, and media, and record calls and secretly activate microphones.”

It is irrelevant whether you use iMessage or not, as long as it is installed on your phone.

Since there is no iMessage for Android, what is the security issue there? Your quote says they are infected too.

 

[nikaru]

It is quite scary and disturbing that after so many years since iMessage was first released, there are still "zero-click" exploits in the wild, which are basically the worst of the worst exploits there could be in any OS or software. Hope Apple can act incredibly fast to address this issue. Only God should be able to access my phone data!

 

[MecPro]

Since there is no iMessage for Android, what is the security issue there? Your quote says they are infected too.

Zero click vulnerability exploited in iMessage installs spyware which can be installed by other methods on Android or iOS via a link.

 

[thadoggfather]

I’m prepared for downvotes but I gotta say I’m really unimpressed with apple security as of late. Coupled with their cozying up to certain special interests instead of being firmly neutral about it all, it’s not hard to see how it could all get out of hand quick. The security world moves at breakneck speed but also bad faith
Actors can poison the well quickly

or perhaps I should have always been unimpressed , the veil has just been lifted transparently

and no I don’t care about Android whataboutisms of being the same or worse. I hold apple to higher standards , and maybe I shouldn’t have been doing that either

 

[thadoggfather]

Don’t worry. Apple is on top of it. They are planning to offer a new line of $150 apple watch bands this week.

“theres an emoji for that” quelling our concerns

 

[5883662]

In addition to iMessage, are there any other messaging systems that are targeted? Say WhatsApp / Telegram / Signal? Since not many people outside the United States use iMessage.

What? Anyone with an iPhone uses iMessage. Including the rest of the world.

 

[JonGarrett]

iOS 14.7 is around the corner and will be released this week. I don't think Apple has to worry about it.

Android can't say much on their behalf.

Lol, Android isn't affected. iOS 14.7 is right around the corner and Android 12 will be here in September.

I've had 8 security updates on my Galaxy 21+ since January. I think in the same time I've had 2 for my iPad Air 4.

At any given moment if there is a threat my droid will get patched before my iPad.

 

[one more]

In addition to iMessage, are there any other messaging systems that are targeted? Say WhatsApp / Telegram / Signal? Since not many people outside the United States use iMessage.

It is on the Guarduan’s front page right now and they specifically mention iMessage & WhatsApp vulnerabilities:

What is Pegasus spyware and how does it hack phones?

NSO Group software can record your calls, copy your messages and secretly film you

www.theguardian.com

 

[Robert.Walter]

You obviously have no idea how the real world works. I'm sure even if Apple spent every cent of that $200b, there would still be an exploit somewhere (or one inadvertently created) that someone will find and use. It's human nature, nobody is perfect, and perfection is near enough impossible.

There are potentially up to 100m of lines of code in iOS / macOS, then hundreds (maybe thousands) of engineers. How could that be choreographed in the real world to be perfect? Spoiler: it's impossible.

If Apple didn't have all of these new features, who would buy the phone? If you want a phone that has security as a #1 feature priority, then go and find another vendor.

I'm fully confident in Apple's ability to secure their devices from the vast majority of attacks - this new exploit is obviously exceptionally well researched and funded far beyond the capabilities of "normal" attackers.

i would tend to agree but then there’s the two exploit cases being run by Brazilian gangs.

 

[Robert.Walter]

D

iPhones have been lumped into the affected devices from this hack but to what ratio of the infected devices were Android vs Apple? Amongst the Apple devices, how old were the devices and iOS versions being affected?

I can't imagine that newer iPhone models and newer iterations of iOS are being affected with such ease. Especially a no-click infection. Knowledge of this company and it's practices has been floating around for many years. Surely Apple has studied various infected devices to understand the mechanism at work and patched it internally. Alternatively, it would surprise me less if Apple and this Israeli company have engaged in internal dialogue about to what degree Apple devices are able to be infected and to what extent Apple devices are prone to this level of surveillance.

Apple has fiercely defended it's IP and it's Terms of Use in the past. The blatant abuse by tools of this nature especially as a for-profit enterprise between a company and oppressive governments goes in the face of everything Apple stands for, and if it were true to the extent these articles suggest, Apple would have issued a statement addressing it, or visibly taken the entity responsible for it to the courts.

Did you miss part where 14.6 is vulnerable?

 

[chabig]

Lots of Android devices, iPhone came later...

FYI, iPhone preceded Android.

 

[kennyt72]

iOS 14.7 is around the corner and will be released this week. I don't think Apple has to worry about it.

Android can't say much on their behalf.

You clearly have NO idea what you're talking about.

 

[incoherent_1]

Make no mistake: there is an ideological war of democracy vs authoritarianism. Governments need to step up to keep tech like this from falling into the wrong hands, and it’s completely unacceptable that companies are allowed to outright sell it to oppressive regimes.

 

[diego.caraballo]

Apple did a good step with the introduction of the on-screen indicators for Camera and Mic use. These functions should be coded low-level as possible. The equivalent of the green light on Mac that’s activated when the camera is ON. I believe Apple when they say that you cannot cover-enable the webcam module, since the green LED is directly connected to the power line. So it’s impossible to power the webcam without turning ON the LED (obviously for non-manipulated hardware).
iOS should implement an equivalent of that, so that the indicators appears on-screen every time that the Cam and Mic are powered.

 

[JMacHack]

Calling it: the bug has to do with text rendering.

 

[one more]

This is the Guardian’s article specifically related to iPhones:

How does Apple technology hold up against NSO spyware?

The iPhone maker says it is keeping pace with malware, but the Pegasus project paints a worrying picture

www.theguardian.com

 

[falkon-engine]

But Apple says alternative app stores will be the downfall of iPhone security. Seems like iOS is already quite vulnerable.