Apple’s Insecure iPhone Lets NSO Hack Journalists (Again)

Yet another zero-day bug in iOS has allowed notorious spyware vendor NSO Group to break into the iPhones of journalists and activists. Again, it’s an unpatched zero-click vulnerability in the Messages app.

Yes, that’s the app Apple protected with a ring of steel some six months ago. A fat lot of good “BlastDoor” was—NSO’s Pegasus just flew straight through it.

As usual, NSO denies everything. In today’s SB Blogwatch, we roll our eyes.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Master.

Zero-click, Zero-day

What’s the craic? Malcolm Owen reports—“iMessage, Apple Music used by Pegasus to attack journalist iPhones”:

Especially worrying
Amnesty International has detailed evidence showing some of the ways NSO’s Pegasus spyware tool infiltrated the iPhones of journalists and activists, by using weaknesses in Apple’s software including an iMessage zero-click 0-day vulnerability. … While NSO claimed the tool was only to be used against criminals, a leaked list of potential targets revealed a number of journalists were also being monitored by NSO’s clients.

For many of the attacks, it appears that NSO used vulnerabilities within Apple’s software to gain access. … Some of the attacks were deemed “zero-click,” where a target doesn’t have to interact … to be successfully attacked.

The details … demonstrate that there are still areas of concern in Apple’s mobile operating system that need continuous improvement and monitoring. … The determination that attacks in July occurred against a fully-patched iPhone 12 running iOS 14.6 is especially worrying, as that shows some security holes are still open.

And Dan Goodin adds—“‘Clickless’ exploits from Israeli firm hacked activists’ fully updated iPhones”:

Smartphones belonging to more than three dozen journalists, human rights activists, and business executives have been infected with powerful spyware that an Israeli firm sells, purportedly to catch terrorists and criminals. … NSO Group … has come under intense scrutiny in recent years after repressive governments in the United Arab Emirates, Mexico, and other countries have been found using the malware against journalists, activists, and other groups not affiliated with … crime.

Pegasus is frequently installed through “zero-click” exploits, such as those sent by text messages. … It copies call histories, text messages, calendar entries, and contacts. It is capable of activating the cameras and microphones of compromised phones to eavesdrop on nearby activities. It can also track a target’s movements and steal messages from end-to-end encrypted chat apps.

Hundreds of journalists, activists, academics, lawyers, and even world leaders appear to have been targeted. Journalists on the list worked for leading news organizations, including CNN, the Associated Press, Voice of America, The New York Times, The Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London, and Al Jazeera in Qatar.

What’s up with that iOS zero-day? Citizen Lab’s Bill Marczak explains:

Pretty lame
Apple has a major blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain’t solving. … Phone logs show that … some of the … exploits deployed by NSO Group involved ImageIO, specifically the parsing JPEG and GIF images. ImageIO has had more than a dozen high-severity bugs reported against it in 2021.

BlastDoor is a great step, to be sure, but it’s pretty lame to just slap sandboxing on iMessage and hope for the best. How about: “don’t automatically run extremely complex and buggy parsing on data that strangers push to your phone!”?

Next shoe? Joseph Cox drops this—“Amazon Shuts Down NSO Group Infrastructure”:

Amnesty wrote that a phone infected with NSO’s Pegasus malware sent information “to a service fronted by Amazon CloudFront, suggesting NSO Group has switched to using AWS services in recent months.” … Citizen Lab, in a peer review of Amnesty’s findings, said in its own post that the group “independently observed NSO Group begin to make extensive use of Amazon services including CloudFront in 2021.”

CloudFront is a content delivery network (CDN) that allows customers, in this case NSO, to more quickly and reliably deliver content to users. … The move to CloudFront also protects NSO somewhat from researchers or other third parties trying to unearth the company’s infrastructure. … The Amnesty report said NSO is also using services from other companies such as Digital Ocean, OVH, and Linode.

To which VeryFluffyBunny suggests the next hed:

Unprotected AWS bucket
Next headline on this topic: NSO employees accidentally leave hacking tools source code on unprotected AWS bucket.

But how could Apple be so incompetent? This Anonymous Coward alleges an allegation:

Flaws? Really. It’s interesting that OS’s and applications are so conveniently vulnerable to spyware design for state security agencies.

[It’s] almost as if those vulnerabilities are entirely deliberate.

And Tsur puts it more plainly:

NSO Group is making a mockery of iOS security. It’s not just Messages: Safari, Music, Messages, & Photos are all used as vectors. And this seems current up to the just released 14.7.

Something should be done! So saloomy suggests something: [You’re fired—Ed.]

My fist
Why isn’t this illegal? If you happen to come across the code to a bank vault, and give the code to would-be thieves, that’s prosecuted under accessory charges.

If you find a vulnerability, and give it to anyone other than the manufacturer, and that gets exploited, it should be prosecuted as accessory to –along with– the computer fraud and abuse act. You are accessing a computer system you have no permission to access.

This is akin to revenge porn, or selling the codes to someone’s door lock, or the code to copy a car fob. It is and should be illegal. Just like its a restriction on where I can put my fist based on where your face is.

Why has nobody blamed the victim yet? jdavis703 obliges:

Don't leave a digital trail
I did helpdesk support at a news agency. We were constantly cleaning up malware from journalists’ computers. The journalists were constantly downloading all sorts of sketchy files.

Basically, if you’re leaking state secrets / embarrassing repressive governments, don’t leave a digital trail that can be traced back to you. Just assume everyone … has been hacked … (especially journalists on national security or human rights beats).

Meanwhile, autostop describes NSO’s oh-so-rigorous vetting process:

Pinky swear
Give NSO some credit. A state actor purchasing their product has to pinky swear that they are not going to use it to abuse human rights.

And they do check to make sure they’re not crossing their fingers on their other hand. It’s pretty rigorous.

And Finally:

British kids’ TV is darker than a very dark thing (excellent fan edit)

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Tyler Lastovich (via Unsplash)

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now … Read More