What are the odds that NSO has like 20 other zero-days in their arsenal each set ready to deploy the day the current vulnerabilities are discovered and patched? Does Apple know or have a clue how bad this problem could be?
Surely whatever money these guys spend buying these zero-days, Apple is rich enough to increase their bounties large enough to attract them to right side instead?
It’s not clear in the article if the author had to take any action to get this program installed. If that’s not required, what should anyone who even vaguely suspects state sponsored spying do? Sounds like it’s safer to just not use a phone or try and circle through a series of them you buy second hand or something.
This comment pretty much dissects/explains NSO in the best terms ive seen in HN before.
"Pegasus" is not one hacking entity like most articles make it out to be. Its
1) A bunch of services that download data, given root access to a phone
2) a bank of 0-days, we don't know how deep.
For all we know, there are times when "Pegasus" doesn't work for hours, days, weeks, until the 0-day is rotated. We do know from some leaks that they have a mix of non-click and click exploits, and also support all different kinds of phone OS.
Their hacking abilities are definitely overstated, for all we know, for smooth continuous customer support, they could be buying 100% of their 0-days, and not finding any themselves. A 0-click 0-day for iPhones is worth about $2,000,000[1], a company with contracts like NSO can afford a lot of those. IMO the media portraying them as super-hackers is pure hype. Its a bunch of crooked business people who figured out how to extract money out of countries
I factually agree with what you're saying, but I don't think it really changes the practical outcome of the situation: a private organization is available for-hire to arbitrarily root and snoop on fully patched iOS devices at state-level actor scale. If they get the exploits from in-house or elsewhere, the outcome is basically the same.
Whether there's "Pegasus" attribution or not, the reality of the contemporary internet is: if you're targeted hard enough, you're probably screwed. (....but you're probably not actually targeted that hard, so practice good practices)
That being said, I agree with others that it's probably a good technical, PR, and long-term "marketability to regimes" approach for Apple to just double down and spend millions instead of thousands on competing with the black market to buy 0-days.
An extension to the link [1] above is: the price NSO pays for android zero click is higher than the price they pay foriPhone zero click exploits. This implies they do indeed a catalog of iOS exploits stashed.
I'm curious how selling a multi-million dollar 0-day to a shady company actually works in practice. Like how does the seller demonstrate that their exploit works and isn't already in ShadyCo's catalog without giving up how it works
(at which point ShadyCo could just not pay them and recreate it).
I just don't understand how they are allowed to do this. I thought we had laws against intruding on systems, hacking, and wiretapping. How can a business do this in the clear and not get stopped by some law enforcement?
I think Apple should randomize data structure ordering, change flags and logic in the the memory allocator, and choose a different set of compiler optimizations with every release.
At least that way, most exploits and bugs will at least require an expert to put in substantial effort to update them to work on a new OS release, and many exploits won't be possible at all on a new release - if for example the exploit allows a stack buffer to overrun by 1 byte, then it depends what data follows the buffer - and if the compiler randomizes that, then in the next release it might become non-exploitable.
I could very well imagine that NSO charges per device exploited, and charges more for zero-click exploits used.
Each exploited phone raises the chance of the exploit being found and burned, so they really have to incentivize their customers to use them sparingly.
> What are the odds that NSO has like 20 other zero-days in their arsenal each set ready to deploy the day the current vulnerabilities are discovered and patched?
I feel it's the safe money, certainly. One exploit dev in a given year can churn out multiple weaponized 0 days, surely they have more than one dev working on such things, so you're talking about a stockpile of likely dozens of vulns. Some might collide with public vulns so they lose a few, but you knock one down and I have to assume they have others staged.
> Apple is rich enough to increase their bounties large enough to attract them to right side instead?
That's a good question. I think at NSO's price point the answer is probably "no", but I don't know. At best Apple could be competitive, but bug bounty work is far riskier - you might spend a long time without getting a payout, either due to some bad luck, collisions with already reported vulns, or a vendor just being a dick (pretty sure Apple have been dicks).
> what should anyone who even vaguely suspects state sponsored spying do?
Probably have more than one phone, for starters. Use authenticated protocols, not SMS/MMS. It's insane that anyone can just send data to your phone unprompted. I'd probably disable cell service altogether unless I'm actively making an outbound call to a known contact.
The only way Apple could make them report the vulnerability is if the bounty was not far from the amount of profit that NSO is making with their software.
> Use authenticated protocols, not SMS/MMS. It's insane that anyone can just send data to your phone unprompted. I'd probably disable cell service altogether unless I'm actively making an outbound call to a known contact
I was just listening to Darknet Diaries episode 100 this past weekend and they mentioned an NSO-crafted zero-click vulnerability in Whatsapp that Citizen Lab had detected being exploited.
Though I suppose Whatsapp (anyone with my phone number can message me) wouldn’t qualify as an authenticated protocol.
Why is it on Apple to defend everyone against hackers sponsored by another country to begin with? The governments should be providing any resources necessary to defend here...
I didn’t find any mention of Lockdown Mode in the article, which is advertised as something a user in this position could use to decrease their attack surface. I find it surprising journalists covering high-risk stories don’t just all have this on by default. A lot of these no-user-interaction exploits are via vulnerabilities in decoders for images and such that run when a message is received, unless the phone has Lockdown Mode enabled (LM also disables other types of functionality). Has anyone seen evidence of a phone with Lockdown Mode enabled being compromised (not saying it’s impossible, just curious)?
So far there has not been a confirmed Pegasus infection with lockdown mode enabled. It's certainly possible but will require more sophisticated exploits, thus increasing the price per infection.
>Sounds like it’s safer to just not use a phone or try and circle through a series of them you buy second hand or something.
the book Pegasus by laurent richard chronicles the challenges the journalists who brought us the pegasus leaked list with 50k + targets had to go through. Anyone who has grown cynical to journalism over time will be humbled by the death and terror that journalists endure to challenge regimes like SA or morocco. Pegasus was on jamal Kashoggi and his mistress(? iirc) phones.
They probably have around 3-10 other zero-click zero days on hand. And if NSO somehow burns all of their in-house production, the vulnerability brokers I know have a couple tens ready for usage in their inventory for a few million dollars each. This is not even private knowledge; the brokers run legal US incorporated businesses that sell to governments, businesses, and the vendors who make the insecure products such as Microsoft and Apple. Apple knows for a fact that they are delivering products with tens to hundreds of known critical security defects.
Apple does not buy out the zero-days for two reasons: First, you can not buy your way to security. Second, the benefits do not outweigh the costs.
For the first point, it is impossible to buy your way to serious security. Apple currently pays a $1M bounty for a zero-click RCE with persistence [1] and $2M to do the same to Lockdown Mode, around the cost of a single Tomahawk cruise missile. They set this price because it takes around 1-3 engineer-years to find such a security defect, so the bounty is approximately the cost of labor. If they paid $10M, around the cost of a single M1 Abrams tank, they would get a absolute flood of new reports since suddenly the ROI is 10x and the number of security defects detectable at the $10M level is vastly more than at the $1M level. However, to deter countries, you need to get to at least the $100M level, the cost of a single F-16. At the few million dollar level there are already tens to hundreds of known security defects, so at the $100M level there are almost certainly thousands to tens of thousands of vulnerabilities. So, to buy their way to protection against state-funded attackers would cost them trillions to tens of trillions of dollars, if it is even possible at all. Note that literally nobody has ever gotten past the few million dollar range using this strategy, or frankly using any strategy when attempting to retrofit a system not designed for security like iOS or Windows.
For the second point, what does Apple gain by buying the zero-days? People keep buying iPhones no matter how many thousands of security defects get reported. All they have to do is make up new bullshit like Lockdown mode and everybody feels warm and fuzzy inside. The company, that has never once made a product within a factor of 100x of what is needed to protect against state-funded attackers, just makes up a marketing spiel about how they are "totally going to do it this time for sure, pay no attention to our record exclusively consisting of hundreds of failures" and everybody eats it up. We know they do not believe their own marketing fluff because they set the bounty for lockdown mode at $2M, only double the $1M for regular iOS, which is still only 1/5 of a single tank. Do you think a single state-funded attackers will be dissuaded by the price of a fractional tank? It costs more money to start a new McDonalds store. All the companies like Apple, Microsoft, Amazon, Google, Cisco, Crowdstrike, etc. need to do is lie and for some reason everybody keeps believing them for the thousandth time and their sales are protected.
Commercial IT systems are completely and utterly insecure against attacks by moderately funded attackers. If you have operations worth more than $1M or are at the risk of targeted attacks, you are completely, 100%, vulnerable no matter what or how many of these systems you use. If that is not acceptable, then you must not use standard commercial IT systems with connectivity. That is, unfortunately, the only solution that currently works. It is up to you if you think the tradeoff is worth it.
A third reason Apple doesn’t increase their bounties: they don’t need to. There is no secure phone on the market. Your only options are insecure phone (iOS, android, whatever) or no phone at all. So while it might be nice to be able to claim that you’re relatively secure, there’s very little to be gained by spending all of the resources required to buy up all exploits.
> Surely whatever money these guys spend buying these zero-days, Apple is rich enough to increase their bounties large enough to attract them to right side instead?
TL;DR, Apple probably doesn't care enough
You're in a very exclusive club if you're targeted by NSO (ie. very few people are victims) and most of the general public probably doesn't understand or care enough to get their pitch forks out.
Personally if I was anywhere near being a possible NSO target I'd dump all my devices or at least have them fully airgapped, the only way you'll win that fight.
> You're in a very exclusive club if you're targeted by NSO (ie. very few people are victims)
That's a dangerous assumption. We only know about the victims who are clueful enough about OPSEC to even be informed about the issue, let alone find out about an attack.
>Personally if I was anywhere near being a possible NSO target I'd dump all my devices or at least have them fully airgapped, the only way you'll win that fight.
You still wouldn't win that fight without applying those rules to everyone you come in contact with. And even then, the absence of such data could create a pattern enough to identify parts of your life if they have enough data from people that are not around you.
Escaping surveillance from bad actors is essentially no longer a winnable fight. you can only do your best to mitigate it.
> TL;DR, Apple probably doesn't care enough
You're in a very exclusive club if you're targeted by NSO (ie. very few people are victims) and most of the general public probably doesn't understand or care enough to get their pitch forks out.
And yet:
(a) Lockdown Mode cost money to develop and will cost support time from casuals turning it when they shouldn't but Apple did it anyway, and
(b) the journalists only know this happened because Apple told them proactively.
> Surely whatever money these guys spend buying these zero-days, Apple is rich enough to increase their bounties large enough to attract them to right side instead?
Apple is a commercial organisation with a sole purpose of generating profit. And the bounties are at their equilibrium points already (or at least supposed to be).
Apple is rich enough sure, but they will only spend money if this makes Apple even richer.
"Surely whatever money these guys spend buying these zero-days, Apple is rich enough to increase their bounties large enough to attract them to right side instead?"
You assume it's just money and not poltical idealogy or "because I can, when I can."
Almost zero, if China with 1.5 billion people, unlimited money and lots of motivation couldn't hack into iOS then there is no way Israel can do it Multiple times... Just think about it...
It would be a lot easier to just believe Apple gave backdoor access to the Israeli intelligence, it would explain why Europe is at their throat recently after Israel sold Pegasus to Morocco who used it to spy on French journalists and politicians which led to Morocco recognizing Israel and the US recognizing the western sahara and putting an embassy there, now those waters (between the canary islands and morocco) aren't the EU's but are shared with Morocco aka the US, and it all happened after discovering that mineral rich mountain (mount Tropic) that has lots of minerals used in battery manufactoring. That's just my tinfoily theory for the day... I don't believe all of it but I don't disregard that possibility...
my guess, probably lesser.
people carry their phones as an extension of themselves, while cars takes us from point a to b.
And most modern cars have a Secure Gateway[1] that are mostly not connected to internet, that only allow limited NW access for the connected systems to rest of the vehicle (Engine, powertrain, brakes...)
so the possibility of a remote scaled attack is low IMO.
Reprogramming the navigation to take you to the ambush site or sending your route to mossad would be valuable. That’s without even considering the lethal options like disabling breaking, setting lane assist to swerve you into traffic etc
I’ll admit I always thought ‘Meduza’ was from the Russian /meduza/, meaning jellyfish, but they did indeed mean the Greek Medusa (1):
> Question - why Meduza in particular? That's a slippery, unpleasant creature
> Journalists are generally unpleasant and slippery and there are few who love them - such is the job. Also "Medusa" turns its subject to stone with a glance, which is true of journalists, too. But to be completely honest, we ended up with "Meduza" by chance. We thought the paper should be named after the ancient Greek monster that had its head cut off but came alive anyway. We chose "Meduza" and then remembered that it was a hydra, but it was too late.
The Russian word for jellyfish comes from the Greek myth. In Russian, Medusa is spelled with a Z instead of an S (Медуза). The jellyfish is called such in Russian because the tentacles are similar to Medusa's snakes.
I wonder how Apple decides who to inform and who not to when they detect malware like pegasus. Good they did inform a person in question.
However, what if this person was much lower profile? Let's say a person that lives in a democratic country. Does Apple even know who targeted them? If they do, let's say "if its China or Russia" we inform. Then what if China or Russia does the exact same thing but using a paid agent in a democratic country?
This raises so many questions. And finally, if Apple can detect such malware why isn't there an immediate notification from some local app? Like an anti virus for your phone. They must already have something like this, otherwise how would they know?
(Disclaimer: I have no idea how this actually works.) I would guess that running this on-device would be prohibitive and they probably get told accounts and whatnot that are known to have sent the messages, then go in their server logs and check who they reached out to.
Sounds like that would not leave much time for actual journalism. Or room for carrying other equipment. And it would make crossing borders very exciting, explaining all those phones to border control or customs.
Just turn on Lockdown Mode on iOS. It was designed to protect against exactly this. It has been confirmed that if Lockdown Mode had been on, this attack would have failed.
Disable iMessage and don't use iCloud at all, for a belt and suspenders approach.
This probably isn’t a bad idea for an open-source project.
Something akin to Graphene OS where there’s a constant drive to narrow the attack surfaces, but also removing any concessions related to installing apps or Google services entirely.
Basically, a phone that has access to encrypted messaging and the camera/mics under very controlled circumstances and that’s about it.
The restrictions would also limit the popularity enough that it would likely never be worth the cost of targeting, but also provide greater protection to the few people that really need that protection enough to make those sacrifices.
I'd love a phone with a bank of iPhone style mute switches, but each hooked up physically to disable the cellular radio, gps antenna, mic, camera and etc.
An open-source project is actually worse for security because the attacker can just read your source and find the exploits.
Assembly is a pain to understand even with the latest disassemblers. Cut that out and you’re cutting out 90% of the work.
Now sure in theory having it open source means good people will find the exploit. But have you ever found an exploit and reported it? Of course not. Only attackers are motivated to put thousands of hours of work into looking for vulnerabilities. Unless you pay someone to actually put the same work in, it being open source is meaningless.
There's probably a way to quickly detect infection, too: constantly look at all network traffic. It's probably pretty difficult to hide the outgoing traffic when they are pulling all your messages and run frequent screen capture. They will encrypt it, but the volume of data should be impossible to hide.
Even easier if you have your phone stripped down and locked up in the first place, less apps to ever cause outgoing traffic.
> “I’m absolutely shocked we’re seriously discussing that a European state could have done this,” says Ivan Kolpakov, Meduza’s editor-in-chief. “I’m probably naive"
Rather then naive, I think his main problem is that he hasn't investigated before the discussed event what the European states actually do in that context. Then he would be just worried, not shocked.
Another possibility is that the "shocked" is the "Casablanca shocked":
> Rick: How can you close me up? On what grounds?
> Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
Is there anything that prevents Pegasus from spreading by itself or must it be installed via a targeted attack? And is there a way of scanning for it to see if a phone is infected?
There is nothing technical that prevents Pegasus from spreading by itself, some of the reportedly involved vulnerabilities could be "wormable", however, there are practical reasons that prevent that - for malware like Pegasus, the operator has an interest to avoid uncontrolled spread, since it relies on certain undiscovered and unpatched vulnerabilities staying undiscovered and unpatched, and uncontrolled spread makes it much more likely to be discovered, analyzed and "killing the goose that lays golden eggs".
So at least for now we'd expect all Pegasus installations to be a result of targeted attacks. On the other hand, if the tool leaks and becomes readily available to multiple actors, then the incentives change and one of them might decide to make a worm that infects everyone in the world who's not patched.
I suspect that it was not because it was hurtful or destructive, but because I chose to use the national currency of Israel as the denomination (instead of dollars, which would actually be disrespectful), and someone that skipped Social Studies, thought it was being "anti-semitic."
Sort of like the paediatrician in UK, that was attacked, because some idiot thought the sign outside her office meant she was a paedophile.
There is no self propagation code built into Pegasus.
It would be relatively trivial to write such - simply have it send the exploit via iMessage to all of a targets contacts, rinse and repeat.
This would be counterproductive though - the whole selling point of Pegasus is targeted surveillance, and such exploits are very costly - uncontrolled spreading would make it detected much faster, burning a valuable resource.
If such exploits were cheap, it’s plausible you could justify writing a variant that automatically attacks a targets entire address book to mine their social graph, but then you have the problem of analysing a shitload of probably worthless data…
If some hacker gets a clearly infectious Pegasus link they should make it spread through messages to everyone. Bricking everyone’s iPhone will probably make all the governments and Apple sit up and do some real damage to these actors.
Seems that the NSO business model is based on ultra exclusivity and a very small number of business clients. Technically, Pegasus could probably retransmit itself to infect another device, but it doesn't fit their business model so I doubt NSO would do this regularly.
Nation states (like KSA) will likely pay very large sums of money to use this against their perceived enemies abroad. A small and exclusive clientele is how a company like this stays out of the lime light.
From what I was able to read previously, it has no ability to spread by itself and has to be installed by a targeted attack. There is also a tool from Amnesty International that can detect it (or was able to): https://github.com/mvt-project/mvt
It is a race though, so past info may no longer be valid. However, I doubt it will ever be able to spread by itself, since it uses very expensive zero days to infect and they will be quickly fixed after detection.
AFAIK, phone numbers are the entry point, it’s the easiest and quickest way to target someone with it, else, it will be more involved to isolate the target, so don’t activate any number on your phone in addition to the lockdown mode, plus the usual security precautions should be in theory enough to protect you, ultimately, don’t use a “smart” phone.
Phone numbers are not targets. Baseband is the big fear vector due to it being a black box, but in reality the apps themselves are being targeted where your phone number is the primary key.
Since the type of exploit pegasus has been using has been recently seen in the wild and Apple has had to release more than one security update to address this attack vector it leads me to believe that not just targetted individuals should enable "lock down mode" on their apple devices. Although apple doesn't recommend it, it could be useful if there is a major malware outbreak across the iPhone ecosystem.
Readit News
Surely whatever money these guys spend buying these zero-days, Apple is rich enough to increase their bounties large enough to attract them to right side instead?
It’s not clear in the article if the author had to take any action to get this program installed. If that’s not required, what should anyone who even vaguely suspects state sponsored spying do? Sounds like it’s safer to just not use a phone or try and circle through a series of them you buy second hand or something.
"Pegasus" is not one hacking entity like most articles make it out to be. Its
1) A bunch of services that download data, given root access to a phone
2) a bank of 0-days, we don't know how deep.
For all we know, there are times when "Pegasus" doesn't work for hours, days, weeks, until the 0-day is rotated. We do know from some leaks that they have a mix of non-click and click exploits, and also support all different kinds of phone OS.
Their hacking abilities are definitely overstated, for all we know, for smooth continuous customer support, they could be buying 100% of their 0-days, and not finding any themselves. A 0-click 0-day for iPhones is worth about $2,000,000[1], a company with contracts like NSO can afford a lot of those. IMO the media portraying them as super-hackers is pure hype. Its a bunch of crooked business people who figured out how to extract money out of countries
[1] https://arstechnica.com/information-technology/2019/01/zerod...
Whether there's "Pegasus" attribution or not, the reality of the contemporary internet is: if you're targeted hard enough, you're probably screwed. (....but you're probably not actually targeted that hard, so practice good practices)
That being said, I agree with others that it's probably a good technical, PR, and long-term "marketability to regimes" approach for Apple to just double down and spend millions instead of thousands on competing with the black market to buy 0-days.
I think Apple should randomize data structure ordering, change flags and logic in the the memory allocator, and choose a different set of compiler optimizations with every release.
At least that way, most exploits and bugs will at least require an expert to put in substantial effort to update them to work on a new OS release, and many exploits won't be possible at all on a new release - if for example the exploit allows a stack buffer to overrun by 1 byte, then it depends what data follows the buffer - and if the compiler randomizes that, then in the next release it might become non-exploitable.
Each exploited phone raises the chance of the exploit being found and burned, so they really have to incentivize their customers to use them sparingly.
Deleted Comment
Deleted Comment
I feel it's the safe money, certainly. One exploit dev in a given year can churn out multiple weaponized 0 days, surely they have more than one dev working on such things, so you're talking about a stockpile of likely dozens of vulns. Some might collide with public vulns so they lose a few, but you knock one down and I have to assume they have others staged.
> Apple is rich enough to increase their bounties large enough to attract them to right side instead?
That's a good question. I think at NSO's price point the answer is probably "no", but I don't know. At best Apple could be competitive, but bug bounty work is far riskier - you might spend a long time without getting a payout, either due to some bad luck, collisions with already reported vulns, or a vendor just being a dick (pretty sure Apple have been dicks).
> what should anyone who even vaguely suspects state sponsored spying do?
Probably have more than one phone, for starters. Use authenticated protocols, not SMS/MMS. It's insane that anyone can just send data to your phone unprompted. I'd probably disable cell service altogether unless I'm actively making an outbound call to a known contact.
I was just listening to Darknet Diaries episode 100 this past weekend and they mentioned an NSO-crafted zero-click vulnerability in Whatsapp that Citizen Lab had detected being exploited.
Though I suppose Whatsapp (anyone with my phone number can message me) wouldn’t qualify as an authenticated protocol.
the book Pegasus by laurent richard chronicles the challenges the journalists who brought us the pegasus leaked list with 50k + targets had to go through. Anyone who has grown cynical to journalism over time will be humbled by the death and terror that journalists endure to challenge regimes like SA or morocco. Pegasus was on jamal Kashoggi and his mistress(? iirc) phones.
Apple does not buy out the zero-days for two reasons: First, you can not buy your way to security. Second, the benefits do not outweigh the costs.
For the first point, it is impossible to buy your way to serious security. Apple currently pays a $1M bounty for a zero-click RCE with persistence [1] and $2M to do the same to Lockdown Mode, around the cost of a single Tomahawk cruise missile. They set this price because it takes around 1-3 engineer-years to find such a security defect, so the bounty is approximately the cost of labor. If they paid $10M, around the cost of a single M1 Abrams tank, they would get a absolute flood of new reports since suddenly the ROI is 10x and the number of security defects detectable at the $10M level is vastly more than at the $1M level. However, to deter countries, you need to get to at least the $100M level, the cost of a single F-16. At the few million dollar level there are already tens to hundreds of known security defects, so at the $100M level there are almost certainly thousands to tens of thousands of vulnerabilities. So, to buy their way to protection against state-funded attackers would cost them trillions to tens of trillions of dollars, if it is even possible at all. Note that literally nobody has ever gotten past the few million dollar range using this strategy, or frankly using any strategy when attempting to retrofit a system not designed for security like iOS or Windows.
For the second point, what does Apple gain by buying the zero-days? People keep buying iPhones no matter how many thousands of security defects get reported. All they have to do is make up new bullshit like Lockdown mode and everybody feels warm and fuzzy inside. The company, that has never once made a product within a factor of 100x of what is needed to protect against state-funded attackers, just makes up a marketing spiel about how they are "totally going to do it this time for sure, pay no attention to our record exclusively consisting of hundreds of failures" and everybody eats it up. We know they do not believe their own marketing fluff because they set the bounty for lockdown mode at $2M, only double the $1M for regular iOS, which is still only 1/5 of a single tank. Do you think a single state-funded attackers will be dissuaded by the price of a fractional tank? It costs more money to start a new McDonalds store. All the companies like Apple, Microsoft, Amazon, Google, Cisco, Crowdstrike, etc. need to do is lie and for some reason everybody keeps believing them for the thousandth time and their sales are protected.
Commercial IT systems are completely and utterly insecure against attacks by moderately funded attackers. If you have operations worth more than $1M or are at the risk of targeted attacks, you are completely, 100%, vulnerable no matter what or how many of these systems you use. If that is not acceptable, then you must not use standard commercial IT systems with connectivity. That is, unfortunately, the only solution that currently works. It is up to you if you think the tradeoff is worth it.
[1] https://security.apple.com/bounty/categories/
TL;DR, Apple probably doesn't care enough
You're in a very exclusive club if you're targeted by NSO (ie. very few people are victims) and most of the general public probably doesn't understand or care enough to get their pitch forks out.
Personally if I was anywhere near being a possible NSO target I'd dump all my devices or at least have them fully airgapped, the only way you'll win that fight.
That's a dangerous assumption. We only know about the victims who are clueful enough about OPSEC to even be informed about the issue, let alone find out about an attack.
You still wouldn't win that fight without applying those rules to everyone you come in contact with. And even then, the absence of such data could create a pattern enough to identify parts of your life if they have enough data from people that are not around you.
Escaping surveillance from bad actors is essentially no longer a winnable fight. you can only do your best to mitigate it.
And yet:
(a) Lockdown Mode cost money to develop and will cost support time from casuals turning it when they shouldn't but Apple did it anyway, and
(b) the journalists only know this happened because Apple told them proactively.
Sounds like they care at least a little.
Apple is a commercial organisation with a sole purpose of generating profit. And the bounties are at their equilibrium points already (or at least supposed to be). Apple is rich enough sure, but they will only spend money if this makes Apple even richer.
You assume it's just money and not poltical idealogy or "because I can, when I can."
Almost zero, if China with 1.5 billion people, unlimited money and lots of motivation couldn't hack into iOS then there is no way Israel can do it Multiple times... Just think about it...
It would be a lot easier to just believe Apple gave backdoor access to the Israeli intelligence, it would explain why Europe is at their throat recently after Israel sold Pegasus to Morocco who used it to spy on French journalists and politicians which led to Morocco recognizing Israel and the US recognizing the western sahara and putting an embassy there, now those waters (between the canary islands and morocco) aren't the EU's but are shared with Morocco aka the US, and it all happened after discovering that mineral rich mountain (mount Tropic) that has lots of minerals used in battery manufactoring. That's just my tinfoily theory for the day... I don't believe all of it but I don't disregard that possibility...
They should keep their phone in Lockdown mode [1]. It's less useful as a computer in that case but the restrictions reduce the attack surface.
1. https://support.apple.com/en-us/HT212650
Dead Comment
What’s a Tesla 0-day worth I wonder?
And most modern cars have a Secure Gateway[1] that are mostly not connected to internet, that only allow limited NW access for the connected systems to rest of the vehicle (Engine, powertrain, brakes...) so the possibility of a remote scaled attack is low IMO.
[1] https://blackberry.qnx.com/en/ultimate-guides/software-defin...
> Question - why Meduza in particular? That's a slippery, unpleasant creature
> Journalists are generally unpleasant and slippery and there are few who love them - such is the job. Also "Medusa" turns its subject to stone with a glance, which is true of journalists, too. But to be completely honest, we ended up with "Meduza" by chance. We thought the paper should be named after the ancient Greek monster that had its head cut off but came alive anyway. We chose "Meduza" and then remembered that it was a hydra, but it was too late.
1: https://meduza.io/cards/zaday-vopros-meduze, #75
However, what if this person was much lower profile? Let's say a person that lives in a democratic country. Does Apple even know who targeted them? If they do, let's say "if its China or Russia" we inform. Then what if China or Russia does the exact same thing but using a paid agent in a democratic country?
This raises so many questions. And finally, if Apple can detect such malware why isn't there an immediate notification from some local app? Like an anti virus for your phone. They must already have something like this, otherwise how would they know?
- A different device for each app (Whatsapp, Telegram, Signal, etc)
- Use web front ends and keep the phone turned off - not sure if it works for all apps
- Regularly ditch devices, sell them second hand and get new/used phones.
- Use the devices to setup meetings in more secure environments, never say/text anything into the phone, assume its compromised at all times.
And there should be some sanction against NGO, they are scumbags.
Disable iMessage and don't use iCloud at all, for a belt and suspenders approach.
Something akin to Graphene OS where there’s a constant drive to narrow the attack surfaces, but also removing any concessions related to installing apps or Google services entirely.
Basically, a phone that has access to encrypted messaging and the camera/mics under very controlled circumstances and that’s about it.
The restrictions would also limit the popularity enough that it would likely never be worth the cost of targeting, but also provide greater protection to the few people that really need that protection enough to make those sacrifices.
Assembly is a pain to understand even with the latest disassemblers. Cut that out and you’re cutting out 90% of the work.
Now sure in theory having it open source means good people will find the exploit. But have you ever found an exploit and reported it? Of course not. Only attackers are motivated to put thousands of hours of work into looking for vulnerabilities. Unless you pay someone to actually put the same work in, it being open source is meaningless.
Even easier if you have your phone stripped down and locked up in the first place, less apps to ever cause outgoing traffic.
Deleted Comment
Rather then naive, I think his main problem is that he hasn't investigated before the discussed event what the European states actually do in that context. Then he would be just worried, not shocked.
Another possibility is that the "shocked" is the "Casablanca shocked":
> Rick: How can you close me up? On what grounds?
> Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
> [a croupier hands Renault a pile of money]
> Croupier: Your winnings, sir.
> Captain Renault: Oh, thank you very much.
So at least for now we'd expect all Pegasus installations to be a result of targeted attacks. On the other hand, if the tool leaks and becomes readily available to multiple actors, then the incentives change and one of them might decide to make a worm that infects everyone in the world who's not patched.
I see that someone flagged my comment.
I suspect that it was not because it was hurtful or destructive, but because I chose to use the national currency of Israel as the denomination (instead of dollars, which would actually be disrespectful), and someone that skipped Social Studies, thought it was being "anti-semitic."
Sort of like the paediatrician in UK, that was attacked, because some idiot thought the sign outside her office meant she was a paedophile.
Dead Comment
It would be relatively trivial to write such - simply have it send the exploit via iMessage to all of a targets contacts, rinse and repeat.
This would be counterproductive though - the whole selling point of Pegasus is targeted surveillance, and such exploits are very costly - uncontrolled spreading would make it detected much faster, burning a valuable resource.
If such exploits were cheap, it’s plausible you could justify writing a variant that automatically attacks a targets entire address book to mine their social graph, but then you have the problem of analysing a shitload of probably worthless data…
It is a race though, so past info may no longer be valid. However, I doubt it will ever be able to spread by itself, since it uses very expensive zero days to infect and they will be quickly fixed after detection.