Report: Pegasus Spyware Sold to Governments Uses Zero-Click iMessage Exploit to Infect iPhones Running iOS 14.6

[LeadingHeat]

Apple's only got itself to blame.

iMessage was a festering cesspit of vulnerability since they added all this nonsense, emojos, apps (!!!) - well adding apps and an app API to your messsaging is a guaranteed way to open it up to all sorts of vulnerabilities

apple has massive problems that are built into iOS and Mac OS, that are are non-fixable:

- Video player with thousands of features and a multiple decades old codebase - this is going to have enough zero days for the next 100 years

- iMessages, wantonly compromised by features nobody is using, since they're all walled garden features relying on network effects, therefore all doomed to fail. There was no reason to do this. Just show the text. Add images. Done.

- FaceTime - likely has endless vulnerabilities as well, like QuickTime

And many others - there's so much stuff they're building that's a security disaster from the get go.

I have followed the "security related updates" for the past few iPhone updates, and it's pretty shocking, yet not surprising, as each one of these point updates fixes 10, 20, or even 30 zero day exploits.

millions left to go.

How old are you? Just curious. You sound like someone’s father, who is annoyed with all the new features added to things and just want them to stay the same. Sorry to say, but if things don’t change, the will fail in the technology world.

That being said, of course Apple is one of (if not the) biggest targets of security “hackers”. Simply because they claim to have the highest security, and have a big reputation to uphold. It’s just a constant cat and mouse game. This among others will get fixed, and there will be more. Always. It’s not Apple’s fault unless they stay the same and stop patching them.

 

[bluecoast]

You guys do realize that if Apple has to overhaul iMessage it will break compatibility with previous iOS versions.

I'm OK with this. I don't want security vulnerabilities in my phone just so people can iMessage 32 bit phones still on iOS 10.

I'm also not OK with not being able to:
- Turn off iMessage app extensions.
- Tell iMessage to remove any images that are sent to me in an iMessage (or regular MMS)
- To stop showing links as live urls.

 

[Black Magic]

Apple's only got itself to blame.

iMessage was a festering cesspit of vulnerability since they added all this nonsense, emojos, apps (!!!) - well adding apps and an app API to your messsaging is a guaranteed way to open it up to all sorts of vulnerabilities

apple has massive problems that are built into iOS and Mac OS, that are are non-fixable:

- Video player with thousands of features and a multiple decades old codebase - this is going to have enough zero days for the next 100 years

- iMessages, wantonly compromised by features nobody is using, since they're all walled garden features relying on network effects, therefore all doomed to fail. There was no reason to do this. Just show the text. Add images. Done.

- FaceTime - likely has endless vulnerabilities as well, like QuickTime

And many others - there's so much stuff they're building that's a security disaster from the get go.

I have followed the "security related updates" for the past few iPhone updates, and it's pretty shocking, yet not surprising, as each one of these point updates fixes 10, 20, or even 30 zero day exploits.

millions left to go.

Go buy a Windows machine then since you are so unhappy. Let us know how that works out for you!

 

[markiv810]

Hopefully Apple can patch this quickly.

The real question is "Does Apple want to patch this security hole"

 

[Grohowiak]

Lmao so long iOS is sEcUre
Now I'm starting to understand their fear of opening appstore. They can't handle this stuff in a 100% locked environment let alone in a open one.

 

[CordovaLark]

iMessage should have been replaced years ago.

 

[centauratlas]

"use against criminals and terrorists"

Who decides?

I dare say that the people who are classified as "criminals and terrorists" would certainly be different between, say, the UK or Switzerland and China, Russia, Cuba, Venezuela or North Korea.

Once any one of these governments has the tools, they can target any one, any where. It isn't as if China can only target Chinese citizens. They can target Taiwan. They can Hong Kong protestors or anyone else. Cuba can target anyone also. And given the lack of security on many governmental systems, the tools will leak. Ditto, for the US - the Biden admin could target anyone with an iPhone.

Any back door (intentional or, as appears in this case, just a bug) will be exploited by bad actors. Another reason for end-to-end encryption with on device keys for everything.

Governments are by their nature authoritarian and unless restrained by constitutional law, upheld by courts, and supported by a majority of politicians, will use every measure possible to obtain and retain power. Hence the desire to divide people and stir up hate and envy. Divide and conquer.

The arrogance of anyone thinking that *their* security is the one that won't be compromised is astounding. Anyone thinking that there should be a back door on systems or not even have them encrypted is just conceited and will end up being proven wrong in time.

Target Tim Cook or whomever has the iCloud encryption keys and then all iCloud backups are open once you can get into their systems.

 

[centauratlas]

"Apple unequivocally condemns cyber-attacks against journalists, human rights activists, and others seeking to make the world a better place. "

Hey Apple, what about the rest of us? Everyone deserves the same protection because most people are trying to make the world a better place, and the titles mentioned are purely artificial and made up.

 

[Ethosik]

- They DO actually have infinite resources with 200Bn USD in the bank

Read what you wrote again. Do they have infinite resources, or 200 billion?

Also, too many cooks in the kitchen does just as much harm.

 

[Ethosik]

Don’t worry. Apple is on top of it. They are planning to offer a new line of $150 apple watch bands this week.

Not sure why people say things like this. The person making/marketing/releasing the watch bands probably never wrote a single line of code. You want them to fix a security issue, or develop in general?

 

[katbel]

“NSO has invested substantial effort in making its software difficult to detect and Pegasus infections are now very hard to identify. Security researchers suspect more recent versions of Pegasus only ever inhabit the phone’s temporary memory, rather than its hard drive, meaning that once the phone is powered down virtually all trace of the software vanishes.”

What is Pegasus spyware and how does it hack phones?

NSO Group software can record your calls, copy your messages and secretly film you

www.theguardian.com

Does it mean powering down the iPhone you get rid of the spyware ?!

 

[One2Grift]

Not surprising, I’m sure a large amount of governments have the capacity to do this.

That's correct.
Ironically, on some phones spyware/malware wouldn't be needed. Gathering location information, contacts, search history, text common usage metadata is called normal business.

 

[erthquake]

The NSO says they only sell their product to countries with a "good human rights track record" – then why the hell did they sell it to a country like Hungary?

And what stops a Pegasus government from sharing information with any other government? Seems pretty easy for a government to say "We don't use Pegasus" while getting the intel they need from a country like Hungary.

 

[turbineseaplane]

This is why we keep 30% of all App Store revenue.

That 30% guarantees security, which is why this situation didn't happen.

-TC

 

[JosephAW]

Hopefully Apple doesn’t wait until iOS 15 to patch this but releases an update for iOS 14 and iOS 12.

 

[macintoshmac]

iOS 14.7 is around the corner and will be released this week. I don't think Apple has to worry about it.

Android can't say much on their behalf.

I might be unaware, what has iOS 14.7 got that will disallow further hacking in this manner? Please don't be such a rosy-eyed fan that you cannot see what is right in front of you. Apple is not God.

 

[macintoshmac]

It’s not just about changing the build number. I’m sure Apple will patch it right away.

It is not going to be as easy as saying, "Hold my beer".

 

[chachawpi]

iOS 14.7 is around the corner and will be released this week. I don't think Apple has to worry about it.

Android can't say much on their behalf.

That's a pretty awful way to say "sorry that people were likely killed but it's not Apple's problem."

 

[markiv810]

"use against criminals and terrorists"

Who decides?

I dare say that the people who are classified as "criminals and terrorists" would certainly be different between, say, the UK or Switzerland and China, Russia, Cuba, Venezuela or North Korea.

Once any one of these governments has the tools, they can target any one, any where. It isn't as if China can only target Chinese citizens. They can target Taiwan. They can Hong Kong protestors or anyone else. Cuba can target anyone also. And given the lack of security on many governmental systems, the tools will leak. Ditto, for the US - the Biden admin could target anyone with an iPhone.

Any back door (intentional or, as appears in this case, just a bug) will be exploited by bad actors. Another reason for end-to-end encryption with on device keys for everything.

Governments are by their nature authoritarian and unless restrained by constitutional law, upheld by courts, and supported by a majority of politicians, will use every measure possible to obtain and retain power. Hence the desire to divide people and stir up hate and envy. Divide and conquer.

The arrogance of anyone thinking that *their* security is the one that won't be compromised is astounding. Anyone thinking that there should be a back door on systems or not even have them encrypted is just conceited and will end up being proven wrong in time.

Target Tim Cook or whomever has the iCloud encryption keys and then all iCloud backups are open once you can get into their systems.

The issue is that if there is a backdoor, it's only a matter of time before the hackers exploit it. We live in a Digital world and these kinds of deliberate backdoors are a compromise with the lives of the common citizen. In the name of security, this is a slippery slope and we cannot predict the outcome of such tools in the near future. They have opened the "Pandora's Box" and the best is yet to come.

 

[thadoggfather]

Not sure why people say things like this. The person making/marketing/releasing the watch bands probably never wrote a single line of code. You want them to fix a security issue, or develop in general?

Nobody is blaming the watch band designers... I don't think. They're blaming that Apple's priorities from the top have ostensibly fallen off track which includes selling you endless amounts of accessories and services when their core functionality has been compromised.

--

Pegasus-gate is nothing short of an unmitigated disaster, one that is reputation ruining, and if Apple cares this should be their top priority and some sort of official statement should come any minute now from them. As well as action - if action can even be had since this is a tough situation I don't think anyone in the 'Valley' is jealous of right now.

Otherwise, 'security' and 'privacy' pushes that are synonymous with the brand will be rendered totally futile.

 

[emulator]

iOS 14.7 is around the corner and will be released this week. I don't think Apple has to worry about it.

Android can't say much on their behalf.

Opinion or fact?

 

[Macaholic868]

“However, the most recently discovered version doesn't require interaction from the user and can instead exploit "zero-click" vulnerabilities – bugs or flaws in the OS – to succeed.”
“can infect iPhones and Android devices and enable attackers to extract messages, emails, and media, and record calls and secretly activate microphones.”

It is irrelevant whether you use iMessage or not, as long as it is installed on your phone.

Which is why if something is installed on your phone, you don’t use it and you can turn it off in Settings like you can with iMessages then you should probably do that.

 

[Blowback]

Journalists, lawyers, and human rights activists around the world have been targeted by authoritarian governments using phone malware made by Israeli surveillance firm NSO Group, according to multiple media reports.

An investigation by 17 media organizations and Amnesty International's Security Lab uncovered a massive data leak, indicating widespread and continuing abuse of the commercial hacking spyware, Pegasus, which can infect iPhones and Android devices and enable attackers to extract messages, emails, and media, and record calls and secretly activate microphones.

The leak contains a list of over 50,000 phone numbers that are believed to have been identified by clients of NSO as possible people of interest. Forbidden Stories, a Paris-based nonprofit media organization, and Amnesty International had access to the leaked list and shared that access with media partners as part of reporting consortium the Pegasus project. Forensic tests on some of the phones with numbers on the list indicated that more than half had traces of the spyware.

The company behind the software, NSO, denies any wrongdoing and claims its product is strictly for use against criminals and terrorists, and is made available only to military, law enforcement and intelligence agencies.

In a statement given to media organizations in response to the Pegasus project, NSO said the original investigation which led to the reports was "full of wrong assumptions and uncorroborated theories."
In an earlier version of the spyware, surveillance activity depended on the phone user clicking on a malicious link sent to them in a text or email (so-called "spear-phishing"). However, the most recently discovered version doesn't require interaction from the user and can instead exploit "zero-click" vulnerabilities – bugs or flaws in the OS – to succeed.

For example, Amnesty's Security Lab and Citizen Lab found an iPhone running iOS 14.6 could be hacked with a zero-click iMessage exploit to install Pegasus.

https://twitter.com/i/web/status/1416801637104902146

Meanwhile, media organizations involved in the project plan to reveal the identities of people whose number appeared on the list in the coming days. They are said to include hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials. Disclosures which began on Sunday have already revealed that the numbers of more than 180 journalists are already known to be among the data.

WhatsApp sued NSO in 2019 after it alleged the company was behind cyber-attacks on thousands of mobile phones involving Pegasus. NSO denied any criminal wrongdoing, but the company has been banned from using WhatsApp.

Update: Apple has provided the following statement condemning the use of the zero-click exploit against journalists, lawyers, and human rights activists to The Guardian.


Article Link: Report: Pegasus Spyware Sold to Governments Uses Zero-Click iMessage Exploit to Infect iPhones Running iOS 14.6

Reminder (for those with memories who actually follow the real news): You can thank the NSA for this....but of course many can't break old habits and will blame the victim (Apple/Users). NSA allowed their entire 'kit' to be stolen some years ago...and its applications and uses have been dripping into the mainstream ever since. To propose that Apple should not have benefited countless users with iMessage because it MIGHT be compromised is of the logic that the Wright brothers shouldn't have bothered because not only MIGHT some airplanes crash but some might also be used for the bombing of cities or in acts of Terrorism!!!! Some of these comments are what my 7th grade geo teacher used to call (back when teachers could be so honest) 'A**nine'.

 

[bradl]

Opinion or fact?

As far as iOS 14.7 goes, he called it right. it's out.

As far as what Android will have? they have another 4 days to prove him wrong.

Don't be surprised if this is saved for future revisiting at the end of the week.

BL.

 

[incoherent_1]

Governments are by nature authoritarianism. The last thing they want is for the plebes to have free will. I wouldn‘t be surprised one bit if you could trace this all the way through, multiple three letter organizations use this technology.

I’m more surprised there are 180 journalists out there, than anything else reported in this story…

What’s so funny is that spouting uneducated, ridiculous notions like these is a privilege reserved for people in open, democratic countries.

Trying saying this to people in Myanmar, North Korea, etc. and they will laugh in your face (I worked in international aid so I know many people from these places). Of course, you’d have trouble reaching them because their internet and communications can be cut off for days on a whim of some autocrat.

The rest of us don’t live in perfect utopias, for sure, but to conflate the two and say all governments are the same is hilariously childish.