I always wonder what it takes to find this kind of exploit. Are the programmers at NSO group just the best in the world? Or are they incredibly lucky? Both? I’d love to know what a normal day at work is like for their engineers. Clock in, sit down at a…crazy expensive hardware and software testing station? Crack open a brand new iPhone and start probing away while referencing internet sourced chip documentation and software manuals? What does it even look like?
The NSO group are ex-Mossad who decided working for the government does not pay as well as making money out of exploits, probably obtained at the highest levels of top secret work.
So far, they have been tolerated by the Israeli government as they all went to the same schools, all did the armed forces service together, and all know each other. This allowed them to get a free pass so far. Privately, many of their ex-colleagues, are very critical of their lack of ethics.
All this will change, the day some of the NSO exploits will be used against Israel, the same way some of the NSA leaked tools are now used in the wild.
NSO group is ex unit 8200, which is military signals intelligence. So in American terms, it's the NSA not the CIA. The distinction is important in a country with mandatory military service. You get a large number of people who go through, get trained, and then leave because it never was a career. A number of them take their skills to the private sector.
Mossad, on the other hand, is a civilian intelligence service and I'm told there's a strong tradition that its members don't freelance their services after leaving.
"Most of this data is shared internally across the
IDF (as well as sometimes externally, cf. 3.3 below) to
the Unit’s relevant stakeholders, whether combat
troops, decision-makers or other intelligence agencies
such as Mossad. Or as Yair Cohen, who served 33 years
in Unit 8200, the last five (2001–05) as its commander,
put it, "90% of the intelligence material in Israel is
coming from 8200 […] there isn't a major operation,
from the Mossad or any intelligence security agency,
that 8200 is not involved in"
>"...Mossad, on the other hand, is a civilian intelligence service and I'm told there's a strong tradition that its members don't freelance their services after leaving..."
Tradition is not what it used to be:
"Black Cube: The Bumbling Spies of the ‘Private Mossad’"
"...Despite some missteps, Black Cube “has to turn clients away
because it cannot service all the demands,” said Mr. Halevy,
a former head of the Mossad, an Israeli government intelligence agency. He said Black Cube has worked on 300 cases since being founded in 2010 by two former Israeli military intelligence officers,
Dan Zorella and Avi Yanus..."
"Harvey Weinstein hired ex-Mossad agents to suppress allegations, report claims"
It's an important distinction. The fact that huge numbers of people rotate through the hacking side of 8200 (like the NSA, vast majority of 8200 members don't work on that) is what drives the supply.
Intelligence services typically have less turnover. Though that is changing, particularly for NSA, where people leave to go to contractors.
Also, frankly, describing NSO as ex Mossad just makes phone malware sound much more complicated than it is and much harder to stop. At the end of the day, its software, written by people in much the same way any software is written. It just exploits mistakes other software devs made so that it can run.
"by two former Israeli military intelligence officers, Dan Zorella and Avi Yanus."
emphasis on "military intelligence officers" i.e. not mossad. this is like mixing up the CIA and FBI. to an outsider they might appear the same, but that's not really the case.
"Ilan Mizrachi, a former deputy head of the Mossad, Israel’s intelligence agency, said that he sees nothing inherently wrong with former intelligence operatives working for civilian enterprises. “Some people I know went into journalism, some are consultants,” he said. “Among many other professions, some work for companies like Black Cube.”
Quote from the article:
"Despite some missteps, Black Cube “has to turn clients away because it cannot service all the demands,” said Mr. Halevy, a former head of the Mossad, an Israeli government intelligence agency..."
This is myth. Russian systems are suffering from malware just like others. And probably more, because it's easier for local criminals to target local companies. It might be true for a very tiny fraction of malware, but that's definitely an exception, rather than rule.
Of course if there are state-sponsored hackers (I'm not really aware if those exist, but I allow this possibility), they will target whatever their management points at. And with corruption it's pretty possible that some local business could be targeted as a part of some financial wars.
But majority of hackers are just some guys with some IT knowledge and zero morale. They'll buy some exploits and tools on black markets, duct tape them into something and release in the wild, waiting for profits (or police). They'll rob banks or babushkas, they don't care.
It is not myth for ransomware. Many documented cases. It's essential to the survival of these groups; local cops more likely to leave them alone if they leave local businesses alone.
> It's essential to the survival of these groups; local cops more likely to leave them alone if they leave local businesses alone.
Which is a huge misconception outsiders have about this scene. They are Russian-speaking, not Russian, just like English speaking gangs are not necessarily English. These groups may (and often do) consist of nationals of different exUSSR countries, sometimes without even knowing each other personally. They might not even be a single group, just some individuals doing different parts of the scheme. (including "press releases" and "interviews" they sometimes do)
It has been the case long before all this ransomware fad. Russia, Ukraine, Kazakhstan, Belarus, and partially Lithuania had world's top CC theft gangs for a couple decades, and they always been of mixed origin. They mostly steal EU and US cards because it offers better reward/risk ratio, compared to the home countries which are poor. But nothing stopped them from stealing CCs in Russia or Ukraine either, certainly not some mythical cops (who couldn't care less in reality); in fact, skimmers are widespread in those countries as well.
Ransomware groups are the same as CC thieves, it's just a different scheme; they probably avoid home countries for the same reason (same risk, less reward). The state can't possibly have too much influence on them, it just triggers the bullshit detector for anyone who lives in any former Soviet republic and knows about this stuff at least superficially.
It's specifically because Russian prosecutors couldn't care less if there are no Russian victims. By doing this they know there is next to zero chance of criminal proceedings.
> So far, they have been tolerated by the Israeli government
Why wouldn't the Israeli government tolerate them? If anything, doesn't their government benefit from groups like this?
They get access to spy tools that they didn't have to use taxpayer money to fund, and because it's former members of their own intelligence working on it, they have some semblance of influence over how it's used.
That's my understanding too. Funding is not really an issue, 8200 has one of the biggest budgets in the army but they are bound to the law and regulations, NSO on the other hand can pass the lines and keep Israel uninvolved
Not really. Israel likely openly shares secrets with other Five Eyes countries and so it gets a sort of free pass from geopolitical pressures. Its a mutually beneficial exchange. Additional to the Mossad comment, the Israeli students who work for these group take an entrance exam at 17 and that recommends them for what's known as UNIT 8200 which is a feeder network/NSA clone.
Israel is only peripherally and reluctantly involved in the confrontations with Russia and China at the heart of 5E interests, and it neither trusts nor is trusted by 5E countries to the level of sharing intelligence sources or tools except in specific, transactional interactions.
American and Israeli politicians like to talk about Israel being America's "closest ally", but those are just pretty words. Israel's real selling point to the US is that it's a low-maintenance ally.
The United States has thousands of troops deployed across the Gulf to defend its allies there. It has another several thousand as a "tripwire" in South Korea.
US troops have died in combat defending Saudi Arabia and Kuwait. They've been killed by militants directly supported by Pakistani intelligence services.
How exactly is Israel "high maintenance" by those standards?
If you want to define away sending hundreds of thousands of troops to defend Saudi Arabia, using those troops to free Kuwait from foreign invasion, and then keeping those troops in both countries (where they've taken everything from car bombings to shooting attacks) as defending her own interests rather than those states, then you can define away any action taken on behalf of an ally that way. To take this to an extreme: by that definition, US defense of South Korea isn't "aid to an ally".
There is a legitimate argument that US aid to Israel isn't well thought out rationally, but the only reason that's plausible is that a few billion a year and low-cost diplomatic statements/votes aren't a big enough deal for the Serious National Security Considerations to come into play.
I think the hostility encountered by the US in the Middle East is entirely a function of protecting her own interests in a complicated and contested region. Maybe necessary, definitely inevitable.
The human suffering on all sides is a cost of doing business. This is deemed acceptable by the US govt and not contested by the hosting countries for various bad reasons. It is nothing more special than that. There is no grand righteous moral justification, but that is a useful fiction.
I apologize if this offends you, and I don't share it to be disrespectful -- just to explain my perspective.
I mean, sure. The moral question is important! But I was starting from a thread of people who didn't understand the real-life character of the Israeli-American relationship.
If you're trying to describe the actual actions of the parties involved, morality is not a useful analytical or predictive tool; that comes into play when you yourself try to act.
It gives Israel military aid on the order of $3-4B per year. On US budget orders of magnitude that's peanuts, and comes with none of the US troop or naval commitment of e.g. the Saudi or Korean alliances.
> All this will change, the day some of the NSO exploits will be used against Israel, the same way some of the NSA leaked tools are now used in the wild.
Yes. The bipartisan USA Freedom Act limited several aspects of the NSA's dragnet [1]. Amendments weakening the bill were defeated [2]. Less materially, a documentation requirement for § 702 searches of U.S. persons was added in 2018 [3].
I’m skeptical the NSA doesn’t just ignore or creatively interpret laws it doesn’t like, given their past history and the consequences for their misbehavior.
I mean when the CIA got busted not only spying on Congress a few years ago, but also lying about spying on Congress, they were told “don’t do that again please.”
It's mind boggling Clapper wasn't crucified for this.
This sort of thing keeps happening and some sketchy outsider may get elected with catch phrases like "Drain the swamp". Oh wait...
It’s also the Mossad/Israeli government realizing that their capabilities and interests can be advanced by having the hacker mercenary services for sell.
the high tech industry in Israel is not that big. If you look at the companies that make COTS microwave and millimeter wave telecommunications equipment, they're not too different from the other .IL companies which make advanced radar systems, jammers, and avionics for aircraft.
I imagine it's similar for black/grey-hat software development.
Look at the exploits Google's Project Zero find for a less clandestine example. No doubt they employ clever people but you don't have to be superhuman to find vulnerabilities in code. Part of it is paying people to sit down and work on it fulltime.
"This has been the longest solo exploitation project I've ever worked on, taking around half a year. But it's important to emphasize up front that the teams and companies supplying the global trade in cyberweapons like this one aren't typically just individuals working alone. They're well-resourced and focused teams of collaborating experts, each with their own specialization. They aren't starting with absolutely no clue how bluetooth or wifi work. They also potentially have access to information and hardware I simply don't have, like development devices, special cables, leaked source code, symbols files and so on."
Yep, Apple themselves will find exploits, white hat hackers will find exploits, Project Zero or Microsoft teams will find exploits, and so will NSO or other blackhats. It is a mix of luck, skill and putting in the time. NSO has successfully monetized their exploits, allowing them into then invest the money back into hiring more people, which increases the luck/time put into it.
Saw the thread title & clicked through to post exactly the same :)
It's a great set of episodes. This is without a doubt my favourite podcast. 2nd favourite being Knowledge Fight, which debunks Alex Jones and the nonsense that he spews on a daily basis.
They probably hunt exploits like that, but what is quite likely is that they have access to stolen Apple source code and scour it for type overruns like the one in CoreGraphics that is the cause of this exploit. I would estimate that the majority of exploits are the result of source code theft, leaks of potential vulnerabilities from people who have access to the source code and social engineering. There isn't anything particularly special about a "Mossad" trained or "NSA" trained hacker. They are engineers like many of us and prefer the path of least resistance. Trying to brute force buffer overruns without having source code access is tedious. Why go to all the effort to black box exploits when you can take advantage of source code analysis.
I mentioned in another post about why people would leak to the press, when you most likely will get caught and fired. Leakers of a different caliber will leak source code to governments and companies like NSO and have much less likelihood of being caught and much higher remuneration.
You estimate wrong. I've been in infosec for over a decade. We look at binaries. It's not that hard. In fact, it's often easier, since type conversion errors are often a lot more apparent in a disassembly, where you can see exactly what operations are being performed without having to know exactly what the language rules around signedness and integer promotion are, and without having to follow through complicated type hierarchies. Similarly, a good optimizer will strip away layers of software abstraction and make what's actually happening more evident.
There is value in source audits, but you're wrong that exploits come out of stolen source. That's exceedingly rare, and usually quickly publicly leaked when it happens.
> Similarly, a good optimizer will strip away layers of software abstraction and make what's actually happening more evident.
I can attest to this, I've found it's frequently far more satisfying to debug at -O3 than -O0. At O3, the disassembly really lays bare the invalid assumptions that were relied upon.
I respect your expertise and agree that good tools can help find potential vulnerabilities.
You aren't the first person to say that exploits created as a result from source code theft are rare and the theft is quickly publicly leaked when it happens. Why do you think this? I would think that unethical players like NSO Group would have even more motivation to ensure the use of stolen source code is never revealed.
Because I've been doing this for years and I know how we find exploits; we don't need source. Why would NSO need it?
NSO isn't an "unethical" player, they are "ethical" within their own twisted ethics (that most of us don't agree with). They aren't a spy organization outside the law, they're a company building tools for (supposedly) law enforcement. Being caught doing something blatantly illegal like using stolen source code would be the end of them. They can't afford that risk. They have absolutely no need to use source code. There are zillions of binary-only techniques for finding exploitable bugs (e.g. fuzzing). Source code just isn't nearly as useful as you think it is.
If you want a practical example: just a few weeks ago I got ahold of a peculiar, wholly undocumented embedded device (can't even find teardowns on the Internet, no public firmware downloads, etc) and within one day I had a remote root exploit working - this wasn't using an existing CVE in a library, this was a bespoke bug in this device's firmware, and the exploitation involved reverse engineering two authentication token algorithms and a custom binary communications protocol. No source code. Obviously this isn't iOS, which is quite bit more hardened, but that should give you an idea of just how easy it is to find exploitable bugs with just something like Ghidra, if you know what you're doing (I was: I was looking specifically for a kind of bug likely to exist, to narrow down the possibilities of where it might be present, and eventually found a suspicious point of attack surface that indeed turned out to be vulnerable; then it was just a matter of reverse engineering enough of the protocol and token requirements of that code to be able to actually trigger it remotely).
I was actually kind of annoyed it took as long as a couple hours to find it (once I had a decent understanding of the rest of the system); I was expecting even less, but it turned out they did a better job than I expected avoiding some of the classic mistakes - but not a good enough one :).
> I would estimate that the majority of exploits are the result of source code theft, leaks of potential vulnerabilities from people who have access to the source code and social engineering.
No. Some Apple source code has publicly leaked (iBoot) but stealing this kind of stuff is bound to leak. And reversing binaries for vulnerabilities is not that much harder.
They recruit people who were trained to find exploits, it’s less about having the best programmers and more about having people with a specific set of learned skills and dedicating them to this task.
I would be surprised if their core iOS research team is much more than 10 or so people at any given time.
They also probably use brokers and buy at least some of the exploits they use from freelancers if they offer ~7 figures for a zero click exploit a lot of freelancers will be working on this too.
It’s just like any bug bounty program, internally you run a small and dedicated team and externally you pay enough to entice freelancers to spend their free time on your systems to scale it further.
It takes IDA Pro, some low level asm/C++/Python programming skills and a lot of hours.
Reverse engineering is not that complicated, however getting some results is difficult and time consuming.
In that example it's basically looking at how some libraries are parsing input, that's it. Since everything in those phones are C/C++ nothing is "safe".
It's the same skills you need to crack games, cheat in online games etc ...
It would be quite difficult if you can't get access to the binaries that you have to put into IDA (or, well, Ghidra, for that matter, but IDA Pro is probably better).
"Are the programmers at NSO group just the best in the world?"
The parent comment seems to imply that someone who can find programmer mistakes is a better programmer than one who actually writes software for the public. If thats true then wouldnt it be reasonable to prefer to use message software written by NSO instead of Apple. Why dont "security researchers" write the software we use instead of "software engineers".^1 Which group would be more likely to have "the best programmers in the world" who would be the least likely to make mistakes. Honest question. Im not trolling. I think about this question all the time.
1. Some of the programs I use and rely on everyday, even more than something like "iMessage", were written by people who claim to work in "security" or "research" (or even teaching math to university students) not "engineering". I have no complaints about these programs. Yet I have plenty of complaints about the software foisted upon us by Big Tech.
It’s just a matter of the two groups having different skills. One group writes for the general case while the other specialises in corner cases.
The latter looks really impressive when it’s done well, but it’d be silly to expect someone with deep security knowledge to sit down and build a spreadsheet manager from scratch. The two skill sets are just different. There is no “best”.
The hard part is not necessarily finding the programming mistake so much as figuring out a way to reliably exploit them. Back in the day before ASLR and other mitigations it was really straightforward, but modern OSs have much more sophisticated countermeasures to prevent buffer overflows and user-after free bugs to enable RCE.
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it."
Exploit development is a skill like any other. Instead of learning things like software design patterns, distributed systems, software reliability, etc you would have spent time learning about memory layouts, OS designs, mitigation techniques, decompilers, etc.
A lot of times it is just poring over code looking for bugs that have already been found in other locations in the code.
For example. this is a use after free bug. You can statically analyze disassembled code to find places where this might be happenning, and then figure out how to exploit that instance of the bug.
If you have an organization that can legally hire people, pay them a stable salary and legally sell exploits to all sorts of people around the world you end up with NSO.
NSA finds exploits for their own mission and Google Project Zero researches vulnerabilities to [per their claim] ensure internet stays a secure platform but neither of them sell exploits for profit like NSO.
So, no, they're not the only "genius"es out there. They just are less ethical about it.
These are security teams doing capture-the-flag competitions, you can literally walk up to them at in-person events and say hi if you'd like. There's nothing illegal going on here.
I think it's more that the possibility space for exploits is so large that a dedicated force of highly creative reverse-engineers is all you need to dig them up.
From what I've heard it can be almost trivial to find them if you know what to look for. But it seems that very few people know exactly where to look, and fewer still understand how to interpret the results.
https://www.youtube.com/watch?v=zyHI2Ht3OAI Jiska usually finds couple remote exploits a year by just looking at new component/subsystem. Its all dumpster fire underneath :(
Zerodium will pay up to $2,500,000 for no-click iPhone/Android exploits [1]. I'm sure they'd only pay that much if they were highly confident they have clients who'd pay enough to make the risk and investment worth it.
Come on, since jailbreak discovered (checkm8 as king of it) you can run pretty much anything just on iphone itself including automated tests, fuzzing, debug and crash dump analyses. Break is always easier than build.
iMessage plagued with such bugs since 2010, the question is how it is not yet rebuild up to decent quality. Retarded security measures like blastdor or aslr is irrelevant as these mostly a security theatre that just require extra step to avoid.
It's not too esoteric, fortunately. The short explanation is they are a part of the Israeli gov, as with all tech companies in that territory, so that gives certain material advantages to their preferred companies, just like how USA does with offense contractors like Northrop.
Basically, they are propped up by their gov, and that is the major problem.
> I always wonder what it takes to find this kind of exploit.
A lot of knowledge about the target system's internals (comes with experience) and probably a lot of investment in fuzzing infrastructure or A LOT of time reverse engineering and reviewing manually. Finding bugs in closed source software by hand is incredibly slow and painful.
The few most recent episodes of the "Darknet Diaries" podcast, which are relevant, including interviews with CitizenLab, descriptions of how NSO works, Black Cube, and the market for buying exploits from Argentina.
As someone who has some familiarity with the people and processes, this response seems extremely off to me.
> Selection starts from age of 4
Care to share your sources for that? As far as I know most are self taught and get some further training in military.
> Boring.
It might be boring to some and might be extremely interesting for others. People who like solving puzzles and facing hard challenges usually like it. Of course, if your passion is building you wouldn't like it as you don't "build" something new.
> Usually a group of introverted young kids that look at their own shoes while talking to you, led by an extroverted young kid, that looks at your shoes while talking to you.
Have you met these people at all? Because it definitely sounds like you haven't and you just describe the typecast some movie would use.
My children were attending/graduated/served kindergarten/school/army in Israel and I saw selection process as a parent.
My wife was a school teacher in Israel. She described to me some of the evaluation metrics she was supposed to submit every half a year over each and every pupil she had.
I have lots of friends who are ex-8200 (high levels of hightech are surprisingly full of them actually) and this is the first time I hear about that. If you mean that selection that happens at 17yo is based on grades and teachers evaluations since kindergarten - that might be, but it sounds different than "selection starts at 4yo" which implies that 4yo kids are selected and followed all their life.
1) at age of 4 all the parents were gathered to meet kindergarten personnel. They explained that kids will play games all year. Parents were separated to groups and given logical puzzles to solve. Results were noted.
For the next two years children were playing games with changing rules to negate natural ability for specific game and to select for ability to find the best strategy within current constraints.
At the same time each parent is given a day to present his/her profession. Results are noted.
Results were passed to school class selection committee.
2) According to results in kindergarten kids are grouped in schools. Some are given opportunity to participate in electrical engineering or robotic activities (my daughter was Top 5 in Israeli competition for 6-9 years old with reduced team).
3) By the end of the second year some of the parents are notified that there will be an examination. Test is analogous to IQ (math, language, general knowledge). Graded on the curve for municipality. Top 8% are invited for one day a week for additional activities. Top 2% are invited to special schools with much more intensive program. My daughter made it to top 8%. Activities are: decision making, finding solutions within constraints, leading groups of people to solve bigger problems.
4) By the end of elementary, depending on previous results, kids get access to full math program (as opposed to reduced arithmetic). Additional activities include software and electrical engineering, robotics, chemistry, physics and so on. Parents and kids, that didn't made it to Top 8% at previous years, are not aware of these activities (invitations are sent personally).
5) At age of 15 kids pass initial evaluation by IDF. Good grades at high school will guarantee initial evaluation will be upheld. Bad grades will negatively impact the chances.
6) By the end of high school whole history and psychological profile are passed to IDF for final evaluation.
> What does this have to do with the military?
In Israel everything has everything to do with military.
One person's boring is another's career culmination. Breaking system security often consists of dead end after dead end, and even if you get a lucky break, you may hit another dead end after that. Finding an exploit often isn't enough these days, they need to be chained together to actually get somewhere interesting. Personally, it's very unrewarding (aka boring, imho) work most of the time because you don't find anything a lot of the time. (The high off of finding something is something else tho, lemme tell you.) If you're interested in the sort of work involved, http://microcorruption.com is a good CTF to start out on.
> Are the programmers at NSO group just the best in the world?
Most people who are good at this are working for national security orgs, blue team in the private sector, or cash focused criminals. This is the relatively small group of people who are comfortable selling tools to help dictators hack journalists up with saws.
