Report: Pegasus Spyware Sold to Governments Uses Zero-Click iMessage Exploit to Infect iPhones Running iOS 14.6

[Deguello]

I can't imagine that newer iPhone models and newer iterations of iOS are being affected with such ease. Especially a no-click infection.

“iPhones Running iOS 14.6”

Imagine more. Read more.

 

[JonGarrett]

FYI, iPhone preceded Android.

I know. But the original comment was Apple being last but better.

I wanted to know if specific examples of Apple being last AND better in either a hardware feature or software feature.

The only thing I can think of is 3D face unlock vs 2D face unlock but then again the tech for 3D face unlock wasn't available when the first 2D face unlock was released.

 

[ghanwani]

The sad part of system design is that security has, and continues to be, an afterthought.

The ransomware attacks are finally putting a direct $ amount on the neglect of providing for adequate security.

Now it would be good if everyone of the hacked journalist writes a piece on how security is an illusion and that most of our infrastructure is full of security holes.

 

[I7guy]

Apple's only got itself to blame.

iMessage was a festering cesspit of vulnerability since they added all this nonsense, emojos, apps (!!!) - well adding apps and an app API to your messsaging is a guaranteed way to open it up to all sorts of vulnerabilities

apple has massive problems that are built into iOS and Mac OS, that are are non-fixable:

- Video player with thousands of features and a multiple decades old codebase - this is going to have enough zero days for the next 100 years

Ok, all opinion.

- iMessages, wantonly compromised by features nobody is using, since they're all walled garden features relying on network effects, therefore all doomed to fail. There was no reason to do this. Just show the text. Add images. Done.

For you, maybe, but they seem to be popular.

- FaceTime - likely has endless vulnerabilities as well, like QuickTime

Ok, opinion noted.

And many others - there's so much stuff they're building that's a security disaster from the get go.

I have followed the "security related updates" for the past few iPhone updates, and it's pretty shocking, yet not surprising, as each one of these point updates fixes 10, 20, or even 30 zero day exploits.

millions left to go.

And yet, Android and Microsoft patch hordes of vulnerabilities also.

As explained above iMessage is the only one of these that's an intentionally designed security disaster.

The others have images, video, basic stuff and are likely only vulnerable to OS level video player exploits.

iMessage has a huge amount of features and even an app API - like every single security researcher in the world surely was doing, I was also facepalming myself when I first heard about the feature set - it's a few years ago now that this came out, iOS 11 maybe? Not sure. iMessage needs to remove all these dumb features again.

Apple won't remove these features. They will patch up vulnerabilities just like they've been doing.

I don't like blaming people but in this case, it's all on apple

- They DO actually have infinite resources with 200Bn USD in the bank

Ok, more opinion.

- They continually prioritize features some marketing monkeys thought up - iMessage, targeted here, is the best example.

The old emojis over fix software meme?

Apple has really good engineers working there, I am 100% sure some of them spoke up and sad "guys, this is a bad idea there's no way to make an app API, tons of animation features, customizable emojis, customizable animations, free floating sticky notes, all secure in one big release. We need to hold off on this. but they were outvoted by the marketing monkeys ("this will sell more iphones")

Nice whataboutism.

- Their software process is antiquated and wasn't good when it was first invented sometime in the 80ies. That's why Avi left.

That explains why Microsoft just patched 117 flaws across its' products.

14.7 contains the new technology that allows its features to travel back through time and correct existing data leaks?

The point was we ("we" as in posters that don't have Apple inside information) don't know if this was patch, will be patched and what software it will be or was patched for.

 

[nvmls]

iMessage is an abomination anyways, hopefully this kind of exposure will get them to overhaul it.

 

[MRrainer]

It would be nice to have an option in iOS to make iMessages ASCII-only. I.e. convert all incoming messages to ASCII, remove all effects etc.pp.
I bet that would stop most of these attacks.

 

[JosephAW]

Meanwhile Apple is worried about us sideloading apps.

In the meantime we can just turn off iMessage and that would make it more secure. Right?

Soon time for antivirus on an iPhone to get alerts when we’ve been hacked.

 

[JosephAW]

You guys do realize that if Apple has to overhaul iMessage it will break compatibility with previous iOS versions.

 

[I7guy]

iMessage is an abomination anyways, hopefully this kind of exposure will get them to overhaul it.

They'll patch the underpinnings (I don't know if you consider that an overhaul), but they most probably won't be giving an imessage an "overhaul" in the sense of the word in the sentence.

 

[JosephAW]

Now that we have a little red light to know the microphone is on, a little green light to know the cameras on, we need a little amber light to know we’ve been hacked.

 

[Newjackboy]

Apple don't have infinite resources, and in infosec, there's always someone smarter out there who'll be willing to try and break into your system - it is impossible for a system to be perfect.

You can bet that Apple will be doing everything they can to resolve it soon - that's the responsibility.

Apple have more resources than any other company in the world. And more than most governments. The fact this software is available was well known.

They’ve let targeted users down

 

[Razorpit]

“theres an emoji for that” quelling our concerns

Right next to pregnant dad. 😂

Make no mistake: there is an ideological war of democracy vs authoritarianism. Governments need to step up to keep tech like this from falling into the wrong hands, and it’s completely unacceptable that companies are allowed to outright sell it to oppressive regimes.

Governments are by nature authoritarianism. The last thing they want is for the plebes to have free will. I wouldn‘t be surprised one bit if you could trace this all the way through, multiple three letter organizations use this technology.


I’m more surprised there are 180 journalists out there, than anything else reported in this story…

 

[thadoggfather]

This would tar and feather and be the eventual demise of any ordinary publicly traded company... if they weren't Apple.

Stocks will probably sky rocket because up is down and down is up in 2021.

 

[hagar]

a good question; what makes you think that "not many people outside the United States use iMessage"

Because that’s the case. iOS market share is very low in many places so an iOS-only communication platform is useless. In Europe everybody uses WhatsApp and Messenger, with a shift (hopefully) towards Signal or Telegram.

 

[BeefCake 15]

we need a little amber light to know we’ve been hacked.

That's not how zero day works...

 

[fbr$]

I have a fix for the iMessage exploit:

 

[Wackery]

read the actual article. these kind of attacks use DGA domain names (the domain is generated, registered, and SSL cert is automatically generated), which can be easily identified on DNS server side, and name resolution for that URL can be blocked. the oDoH mechanism in Apple Private relay can protect your back in this regard.
also EFF can do - actually they do - a lot about it by also refusing to issue certificates for DGA FQDNs.

I don’t think I recognise more than 2 of the acronyms you used

 

[Iconoclysm]

Biggest culprit here is apple for sure. They have responsibilities here and should have been on top of it.

the company that produces this software must be freaking geniuses

So any time anything is hacked, blame the vendor? Ridiculous.

 

[nvmls]

They'll patch the underpinnings (I don't know if you consider that an overhaul), but they most probably won't be giving an imessage an "overhaul" in the sense of the word in the sentence.

For sure, completely wishful thinking from my end.

 

[sw1tcher]

Apple don't have infinite resources, and in infosec, there's always someone smarter out there who'll be willing to try and break into your system - it is impossible for a system to be perfect.

You can bet that Apple will be doing everything they can to resolve it soon - that's the responsibility.

Apple will eventually get around to it, but they're too busy right now fighting Right-To-Repair legislation.

 

[baryon]

The NSO says they only sell their product to countries with a "good human rights track record" – then why the hell did they sell it to a country like Hungary?

 

[Iconoclysm]

I don't like blaming people but in this case, it's all on apple

- They DO actually have infinite resources with 200Bn USD in the bank

- They continually prioritize features some marketing monkeys thought up - iMessage, targeted here, is the best example. Apple has really good engineers working there, I am 100% sure some of them spoke up and sad "guys, this is a bad idea there's no way to make an app API, tons of animation features, customizable emojis, customizable animations, free floating sticky notes, all secure in one big release. We need to hold off on this. but they were outvoted by the marketing monkeys ("this will sell more iphones")

- Their software process is antiquated and wasn't good when it was first invented sometime in the 80ies. That's why Avi left.

You're acting as if this is some gaping hole nobody bothered to look at. And of course, you're running with it with a projection you've created of Apple that doesn't even fit the scenario.

 

[hagar]

You obviously have no idea how the real world works. I'm sure even if Apple spent every cent of that $200b, there would still be an exploit somewhere (or one inadvertently created) that someone will find and use. It's human nature, nobody is perfect, and perfection is near enough impossible.

There are potentially up to 100m of lines of code in iOS / macOS, then hundreds (maybe thousands) of engineers. How could that be choreographed in the real world to be perfect? Spoiler: it's impossible.

If Apple didn't have all of these new features, who would buy the phone? If you want a phone that has security as a #1 feature priority, then go and find another vendor.

I'm fully confident in Apple's ability to secure their devices from the vast majority of attacks - this new exploit is obviously exceptionally well researched and funded far beyond the capabilities of "normal" attackers.

I followed you up to “If you want a phone that has security as a #1 feature priority, then go and find another vendor.”

Apple should have privacy and security as #1 priority. I also assume they have. But now it’s out in the public they have failed and they should address this issue publicly. Instead of keeping silent.

 

[VulchR]

Companies like NSO must have some physical presence somewhere. Time to shut them down by refusing bank services, internet access etc. And if these companies are protected by national governments, then there should be diplomatic consequences. I want to know what US and UK governments are doing about this illegal hacking (I am a US citizen living in the UK).

 

[matrix07]

But Apple says alternative app stores will be the downfall of iPhone security. Seems like iOS is already quite vulnerable.

So because your house got attacked by a specialist unlocker you want to throw away ALL your locks so anyone can get in as well? Geez..