
NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender - dropalltables
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
======
linkregister
Amazing work by Lookout and Citizen Lab.

Until this point I was not aware that Lookout provided any value-add for
mobile devices. I was under the impression it was the McAfee of mobile.

It sounds mean but this is the first reference to actual vulnerability
discovery done by themselves on their blog, which usually reports on security
updates that Google's Android security team discovered. Previous entries
include such gems as "Now available: The Practical Guide to Enterprise Mobile
Security" and "Insights from Gartner: When and How to Go Beyond EMM to Ensure
Secure Enterprise Mobility."

I can't wait to see more great work. Lookout is now on my radar.

~~~
dropalltables
Direct links to other resources:

Technical analysis: [https://info.lookout.com/rs/051-ESQ-475/images/lookout-
pegas...](https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-
technical-analysis.pdf)

CitizenLab analysis of the nation-state side of things:
[https://citizenlab.org/2016/08/million-dollar-dissident-
ipho...](https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-
day-nso-group-uae/)

Apple update: [https://support.apple.com/en-
us/HT207107](https://support.apple.com/en-us/HT207107)

~~~
tkinom
Love that Technical Analysis.

If Apple, Google, MS, Linux distribution does the following:

* Create sha1, sha256, sha256 chksums of every system, app files and store them in a secure database somewhere.

* Check and audit the system files from time to time and notify the user when change happen.

Would it prevent these type attack or at lease notify the user that system
security has be compromised?

~~~
omgbear
Tripwire is a linux util for doing just that. However you need some read-only
media to store the hashes and I think rootkits can still just intercept the
read calls.

[http://linux.die.net/man/8/tripwire](http://linux.die.net/man/8/tripwire)

~~~
eriknstr
Some years ago, I had Tripwire installed for a few days but quickly removed it
again because whenever I upgraded installed packages, I'd get a storm of
messages about files which had changed and that was just annoying since I was
the one who had initiated the action that caused the files to change, but at
the same time there were so many files that changed of course, that I had no
way of distinguishing legitimate changes (as they all were) from any potential
illegitimate changes.

~~~
bigiain
That's precisely what it's supposed to do. If you update the Tripwire db every
time you "initiate an action that causes monitored files to change" \- then it
does a _magnificent_ job of telling you when someone _else_ changes those
files.

You need to run 'tripwire --update' every time you run 'apt-get update' or
'pip install foo' or 'npm install bah' or whatever - then you wont get that
storm of false positives.

~~~
mcbain
Honest question from an interested party: have you actually had it alert you
about someone else changing the files?

I've been in the previous boat: of having it running on a system I've
inherited, and given up because it seemed too much hassle.

~~~
bigiain
Yes - a few times a year when normal and authorised things or people have
unexpectedly changed files in tripwire-protected places, and in ~20 years I
think three times when I'd had an intrusion.

Those three timely notifications of real breaches have made 20+ years worth of
occasional false positives 100% worth it.

------
toufka
There is a frustration, as a user, that as the value of the iOS exploits
increase, they become more and more 'underground'. The time between OS release
and public jailbreak is continually growing - and it doesn't seem to only be
due to the hardening of the OS. People are selling their exploits rather than
releasing them publicly. And the further underground they go, the more likely
they will be utilized for nefarious purposes rather than allowing me to edit
my own HOSTS file. The most recent iOS jailbreak (to be able to gain root
access to _my_ iPhone) lasted less than a month before Apple stopped signing
the old OS. Yet its clear this (new) quick action on Apple's part does not
(yet?) stop persistent state-sponsored adversaries.

It is more and more clear that to accept Apple's security (which seems to be
getting better, but obviously still insufficient) I must also accept Apple's
commercial limitations to the use of a device I own. And I suppose that the
dividing line between the ability to exploit a vulnerability and to 'have
control' is a sliding scale for every user: one man's 'obvious' kernel exploit
is another man's 'obvious' phishing scam.

It is not a new tension, but it does seem the stakes on both sides seem to be
getting higher and higher - total submission to an onerous EULA vs total
exploitable knowledge about me and my device. Both sides seem to have forced
each other to introduce the concept of 'total' to those stakes, and that is
frustrating. More-so when it's not yet clear which threat is greater.

~~~
totocino
I look at it the other way: as exploits become more and more underground, I
feel safer: I know those exploits are more likely to be used by state actors
against activists and other people who are doing illegal stuff, and less
likely to be used against me and millions of other users to install malware on
our phones (to make them send spam, to make them send expensive texts...)

So yes I feel safer now.

~~~
Forbo
Perhaps you feel that way because you have the luxury of living in a place
where human rights are respected. That these exploits are being used by
regimes to shut down opposition is terrible in its own right.

Edit: As for net effect on global society, I think having my phone be part of
a botnet that sends spam is less impactful than disrupting democratic
progress.

~~~
kartickv
The point still stands: these bad regimes will find it harder to do their
dirty work as security increases.

------
guelo
NSO sells tools that when used violate the CFAA act. It is an Israeli company
but a majority share was bought by a San Francisco based VC [0]. It doesn't
seem like it should be legally allowed to exist as an American owned company.
Maybe Ahmed Mansoor could sue the VC in American courts.

[0] [http://jewishbusinessnews.com/2014/03/19/francisco-
partners-...](http://jewishbusinessnews.com/2014/03/19/francisco-partners-
acuires-israeli-intelligence-cyber-tracking-developer-start-up-nso-
for-120-million/)

~~~
cloudjacker
a) Selling tools itself doesn't violate the CFAA act. A separate entity uses
the tools and assumes that liability, which as we see is mitigated by
sovereign immunity.

b) And even if selling tools began to violate CFAA, then NSO itself would be
sued. As it is a separate entity than the investors, which is the whole point
of limited liability....

~~~
darkarmani
If you can tie the tool to any circumvention of copyright protections --
pretty broad argument (DMCA), you can be sued or arrested.

~~~
cloudjacker
and then you lean on USC Title 17 Chapter 12 § 1201 (f) : the interoperability
with other software defense, broad argument.

~~~
guelo
That makes more sense then my idea. But it would have to be Apple that brought
the suit.

------
0x0
An untethered stealth jailbreak that installs without user interaction from a
webview, that's almost as bad as it gets. And for iOS 7.0.0 - 9.3.4 inclusive.
And with exfiltration of audio, video, whatsapp, viber, etc etc. So thorough
and so bad :-/

~~~
koolba
> An untethered stealth jailbreak that installs without user interaction from
> a webview, that's almost as bad as it gets. And for iOS 7.0.0 - 9.3.4
> inclusive. And with exfiltration of audio, video, whatsapp, viber, etc etc.
> So thorough and so bad :-/

Short of being triggered completely in the background by an UDP packet, what's
worse than this?

~~~
daeken
Chaining this with some form of SMS/MMS bug (a la Stagefright) would make this
unbelievably powerful. That's essentially the worst case scenario I can
imagine for mobile security.

~~~
throwanem
Or this, from the detailed writeup linked elsewhere on this page:

> To use NSO Group’s zero-click vector, an operator instead sends the same
> link via a special type of SMS message, like a WAP Push Service Loading (SL)
> message. A WAP Push SL message causes a phone to automatically open a link
> in a web browser instance, eliminating the need for a user to click on the
> link to become infected.

It goes on to say that messages of this type are increasingly restricted by
service providers and newer phone OSes, but that's still pretty horrifying to
read.

~~~
jessaustin
Wow this WAP Push SL thing seems egregious. It's understandable that somebody
thought it would be useful, for like five minutes. But how could a standards
body or any of the several different OS companies who have implemented it
_not_ have realized how monumentally unwise it is to just automatically run
shit that randomly gets sent to a phone?

~~~
nomercy400
Not everything that supports WAP has to be a phone. It could also be a
standalone device, or sensor, or whatever. And with WAP push you can control
it.

For me the strange thing is that it is on by default on user phones.

------
micaksica
The UAE really hates on activists, and appears to be hiring a bunch of people
specifically to suppress activists/dissidents within the country. [1]
Unfortunately, due to the amount of wealth the country has, it won't stop
almost anybody from dealing with them unless Western sanctions are placed on
the country, which are unlikely given the current geopolitical situation.

[https://www.evilsocket.net/2016/07/27/How-The-United-Arab-
Em...](https://www.evilsocket.net/2016/07/27/How-The-United-Arab-Emirates-
Intelligence-Tried-to-Hire-me-to-Spy-on-its-People/)

~~~
0x0
Don't forget the time they pushed an "update" for blackberries:
[http://news.bbc.co.uk/2/hi/8161190.stm](http://news.bbc.co.uk/2/hi/8161190.stm)

~~~
walrus01
Don't forget that Etisalat is now the majority shareholder and pretty much
runs PTCL, the incumbent/largest telephone and telecom company in Pakistan,
either... PTCL is to Pakistan as Verizon, Frontier or Centurylink are to
various regions of the US. It's the ILEC.

Etisalat is not your friend. Etisalat has great marketing and is building GSM-
based (LTE, etc) networks in many developing nations but it is no friend of an
open internet or democratic institutions.

Etisalat is the reason why in some places in the world if you try to run a
VoIP to Phone system gateway, armed men with carbines will show up and ransack
your offices and home. They will use their influence with whatever local
government exists to "deal with" threats to their revenue and/or tax base.
This has happened in Pakistan and the UAE.

~~~
micaksica
> armed men with carbines will show up and ransack your offices and home

This is a solid reminder that in the end, your ability to use defensive
technology does not actually decide who calls the shots. Power is still
ultimately controlled by violence.

------
hackuser
Should exploits like this be treated as munitions, with sale to foreign
governments restricted? Or any sale at all restricted? Some thoughts:

* The only uses for the exploits are either illegal or by government security organizations

* I don't think you can just make an explosive and sell it to a foreign government; I think there are strict export controls (though I know very few details, I only read about companies applying, getting approval, etc.).

* In the 1990s, strong encryption was called a 'munition' and export was restricted. That turned out to be impractical (it was available in many countries and the Internet has no borders), morally questionable (restricting private citizen's privacy), and it fell apart.

While I believe in liberty and freedom-to-tinker, as I said, this stuff has no
legitimate use.

~~~
digi_owl
> * In the 1990s, strong encryption was called a 'munition' and export was
> restricted. That turned out to be impractical (it was available in many
> countries and the Internet has no borders), morally questionable
> (restricting private citizen's privacy), and it fell apart.

IIRC, thats still on the books. Its just one of those sleeping paragraphs
since the PGP release.

~~~
avian
Debian documents mention that "BXA revised the provisions of the EAR governing
cryptographic software" in October 2000. Debian no longer has separate non-us
repositories for crypto because of that.

[https://www.debian.org/legal/cryptoinmain](https://www.debian.org/legal/cryptoinmain)

~~~
makomk
Open source software is now basically exempt from the crypto export
restrictions, which is why Debian doesn't need separate non-US repositories
for it anymore. As far as I know closed-source software is still restricted.

------
bkmintie
Vice has a nice writeup on the exploits as well:
[https://motherboard.vice.com/read/government-hackers-
iphone-...](https://motherboard.vice.com/read/government-hackers-iphone-
hacking-jailbreak-nso-group)

~~~
explorigin
FTA: It appears that the company that provided the spyware and the zero-day
exploits to the hackers targeting Mansoor is a little-known Israeli
surveillance vendor called NSO, which Lookout’s vice president of research
Mike Murray labeled as “basically a cyber arms dealer.”

Phineas Fisher, we need you now.

~~~
api
So we have cyber arms dealers now. I continue to be amazed at the prophecies
of William Gibson. Makes me wonder if there's anything to "remote viewing."
Did he just look forward into the 21st century and write down what he saw? :)

BRB, gonna go slot me an icebreaker...

~~~
digi_owl
I think Gibson's explanation is that the future is here, it's just not evenly
distributed yet.

Others like Doctorow and Stross has voiced similar views. In Stross' case, he
apparently shelved the third part of a trilogy because the NSA was outpacing
him.

~~~
13of40
Yep, apparently he did:

[http://www.antipope.org/charlie/blog-static/2013/12/psa-
why-...](http://www.antipope.org/charlie/blog-static/2013/12/psa-why-there-
wont-be-a-third-.html)

------
Miner49er
This vulnerability sounds like this:

[https://www.zerodium.com/ios9.html](https://www.zerodium.com/ios9.html)

It was claimed November of last year. I wouldn't be surprised if this
"Trident" was sold by Zerodium. Glad it's patched.

Edit:

I just saw the Citizen Lab article on this:

[https://citizenlab.org/2016/08/million-dollar-dissident-
ipho...](https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-
day-nso-group-uae/)

They mention the Zerodium bounty as well.

~~~
envy2
Article mentions that there are indications this was in the wild as far back
as iOS 7, suggesting this isn't directly linked to that Zerodium bounty.

~~~
dogma1138
The Article mentions that the exploit has kernel mappings going as far as
iOS7. This doesn't mean this predates the bounty at all, the bug that received
the bounty payout for all we know might have been simply functional on iOS 7-9
or even earlier (and who ever made the final commercial product just didn't
bother). iOS7/8 is most likely still used since older iPhones stop receiving
updates at some point and older iPhones are the ones you might actually find
in emerging markets and developing countries. While rare you can still see
people even in "developed" countries running Iphone 4's, if you go to the
middle east, africa, or asia you probably see considerably more of them
through being sold on the secondary markets.

~~~
nogbit
Older iPhones become the "kids" phone when daddy buys the new one. There are
more of them out there then you think.

~~~
dogma1138
I guess so, but it's rare to see iPhone 4's at this point when the iPhone 7 is
almost out of the door.

Also depending on how old the kids are it might actually work in reverse =)

------
epistasis
Not having heard about NSO Group before, they've been claiming to have this
ability since 2014:

[http://blogs.wsj.com/digits/2014/08/01/can-this-israeli-
star...](http://blogs.wsj.com/digits/2014/08/01/can-this-israeli-startup-hack-
your-phone/)

What other 0-days do they have in their pockets?

------
jtchang
The article mentions how this may have been use all the way back in iOS 7
which is crazy.

If you are being targeted for surveillance smartphones are a very bad idea
depending on your adversary. A cheap phone that is refreshed regularly will
probably be your best bet.

~~~
jonknee
On the other hand, smartphones are invaluable to most activists because they
allow _you_ to provide documentation of abuses through its various sensors
(audio, video, photos, etc).

------
gergles
Here are the full technical details:
[https://info.lookout.com/rs/051-ESQ-475/images/lookout-
pegas...](https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-
technical-analysis.pdf)

------
dropalltables
Make sure to update to 9.3.5 on all of your iOS devices ASAP!

~~~
emptybits
Sad face. Right now, on my iPhone:

"iOS 9.3.5 provides an important security update for your iPhone"

40.5 MB. Great! Tapped "Download and install". It's greyed out. Huh?

Oh, "this important security update requires a Wi-Fi network connection to
download". Really? It's only 40.5 MB. Let me decide, please, how I use my
data.

Am I missing a setting that allows me to install an important _security_
update on a network of my choosing?

~~~
acdha
Go to [https://bugreport.apple.com](https://bugreport.apple.com) and request
that. The more duplicates they get, the more likely something is to get fixed.

~~~
emptybits
Good call. Done. Also cathartic.

------
timeal
You can be sure that this vulnerability was probably discovered by some
researcher, then sold to grey markets like
[https://www.zerodium.com](https://www.zerodium.com) or
[https://www.exodusintel.com/](https://www.exodusintel.com/) (they pay up to
$1 million for a highprofile iOS exploit), who then resold it to some
government who is now trying to exploit this dude's phone...

------
driverdan
To people who work for companies that sell / invest in products that are used
in unethical ways (Francisco Partners, NSO, Cisco, etc), how do you justify it
to yourself?

~~~
keyme
How do the people working for Citizen Lab / lookout justify to themselves
blowing active operations by countless police forces around the world?

Ops like Mexico vs Cartels?

Also, since when is selling weapons to governments unethical?

~~~
Robin_Message
When the governments are oppressing their people, that's a good clue.

------
scosman
Does anyone know if the iOS 10 developer beta 7 (public beta 6) got this
patch, or are we vulnerable?

~~~
imwally
According to Ars the bugs have already been fixed in iOS10:
[http://arstechnica.com/apple/2016/08/apple-releases-
ios-9-3-...](http://arstechnica.com/apple/2016/08/apple-releases-
ios-9-3-5-with-an-important-security-update/)

------
firloop
Apple made its bug bounty program public a few weeks ago and the past few iOS
updates have all been patching security vulns. It could be a coincidence, but
from an outsider's point of view, it looks like the program is working.

------
artursapek
Will 9.3.5 disable/remove the spyware on infected phones? Or does it just
prevent one from becoming infected?

~~~
biot
From the article:

    
    
      "The kit appears to persist even when the device
       software is updated and can update itself to easily
       replace exploits if they become obsolete."

~~~
nogbit
And, even if your phone is updating it may be doing a fake update and then
show you that you did update to whatever version Apple says is "safe" for this
exploit but in fact Pegasus was in control the entire time. Get a new phone
ASAP.

~~~
nacs
... or you could just hook it up to iTunes and let iTunes flash the whole
phone with the latest iOS from scratch (9.3.5 fixes these exploits) instead of
letting the on-device updater do it.

No need for a whole new phone.

~~~
tannedNerd
I guess I've never dug deep into how a iPhone restore to default from iTunes
works, but does it actually zero out the whole disk or is it possible for this
exploit to survive that.

~~~
nacs
There are 2 ways. It can do a quick reinstall or it can do a full flash that
wipes out everything (you can force it to do that by holding shift or the
Apple key or something when clicking the restore button).

------
walrus01
This is a REALLY, REALLY good reason why "activists" of any variety should be
trained in how to acquire an old Thinkpad and install Debian on it (plus a
reasonably xorg/XFCE4 desktop environment). If you're dealing with
authoritarian regimes you can do a lot to reduce your attack surface. However
at the end it all comes down to rubber hose cryptography. If your government,
for example Bahrain decides to detain and torture you, you're pretty much
fucked.

~~~
mtgx
Debian? If it's anyone that's even 1/10 as targeted as Mansoor was, then they
shouldn't use anything less than Qubes, Subgraph, or TAILS.

~~~
walrus01
you realize TAILS is just debian with TOR, and non persistent storage?

I'm sure you can find a way to spear phish somebody and send them a Linux ELF
binary that they will then execute, but accomplishing that is considerably
harder than on Windows/OSX/Android/iOS.

~~~
thingexplainer
> I'm sure you can find a way to spear phish somebody and send them a Linux
> ELF binary that they will then execute, but accomplishing that is
> considerably harder than on Windows/OSX/Android/iOS.

I'm afraid people are just as foolable and code just as executable on Debian
as on any other platform. Additionally, vulnerabilities on Android are likely
exploitable on Debian.

You will not survive an attack from a state adversary because you used Qubes,
or OpenBSD, and certainly not TAILS (which is not particularly secure, just
well integrated with Tor). You will survive because you are familiar with your
tools of choice and you know how to secure them.

As a final note, if you're being targeted by a nation state, getting an pre-
owned ThinkPad will probably result in getting a pre-0wn3d ThinkPad.

~~~
walrus01
If you're being targeted by a nation state you will face all sorts of things
to deal with that can't be handled by buying a Thinkpad with cash from a
randomly chosen used computer store. Like bugging your residence and office,
bugging your car, putting advanced GPS tracking devices on your car, rubber
hose cryptography, hardware keystroke loggers inserted in your equipment while
you're known to be away from your home or office, full disk copies of your
laptop/desktop being taken (clonezille-type) by breaking into your office
while you're away, all sorts of shit.

~~~
thingexplainer
If you don't keep your airgapped laptop on your person or in a tamper evident
container at all times, it isn't an airgapped laptop. And if it isn't an
airgapped laptop, it shouldn't know any secrets.

~~~
walrus01
At which point if you're a UAE dissident and trying to deal with all this
_while living in the territory of the UAE_ , you might say "fuck it" and find
a way to move to Toronto.

replace "UAE" with "Ethiopia" or any other authoritarian regime.

~~~
rconti
They took his passport.

------
SanPilot
I'm a beginner when it comes to software development (mostly web development),
but it seems to me that the majority of complex exploits like this involve
some type of memory overflow and subsequent code execution.

Shouldn't there be methods for detecting these kinds of things in source code
or more priority given to preventing it in the C/low-level community?

~~~
startling
There are. "(Kernel) address space layout randomization" is one of them. It
was circumvented here; that's part of why this is impressive.

~~~
SanPilot
How is it possible to put the malicious code in the correct memory spaces?
Unless the attacker had a full image of the memory, I don't see how this can
be accomplished.

~~~
startling
The second bit of the exploit chain, CVE-2016-4655, leads to disclosure of
kernel memory addresses. Once a single memory address is known, you can
calculate the random offset of the kernel, and then exploit the third part to
overwrite the return address and return into specific chunks of kernel code
("Return Oriented Programming"), whose addresses you computed from the offset
+ a fixed code location. These can let you e.g. install your payload.

------
Osmium
Aside, but does anybody else find the switch from right-to-left to left-to-
right really jarring in this screenshot?

[https://citizenlab.org/wp-
content/uploads/2016/08/image13-76...](https://citizenlab.org/wp-
content/uploads/2016/08/image13-768x706.jpg)

It has the effect of introducing a line-break into the middle of a line,
rather than at either end. I've never encountered this before and it took my
brain a few seconds to catch on.

I'd be really curious how native bilingual readers of both a right-to-left and
left-to-right language would read that. Does it look natural? Where do your
eyes go first?

~~~
itayperl
BiDi sucks, and as an RTL language speaker you learn to live with it.

My native language is Hebrew, and we don't bother translating most technical
terms to Hebrew. You end up with technical documents looking something like
this:

".yadot patch a desaeler Apple .iOS 9.3 ni ytilibarenluv privilege-escalation
a dnuof srehcraeser ehT"

In newspapers, where lines are typically short, you get the effect in the
screenshot in question. E.g.:

    
    
       "Everyone gets a day .ni tnew eH
                .dias eh ",off tomorrow
    

You can't _really_ get used to that. You actually have to read the second line
sideways from the middle!

By the way, typing mixed text is even worse than reading it. You have to press
alt+shift every 2-3 words to switch layout. If that's not bad enough, Office
2007 (if I'm not mistaken) introduced a 0.5-1sec lag after each keyboard
layout switch. Imagine typing out an entire document like that. I lost my
nerve a couple of times.

In many cases we avoid this issue by simply writing technical documents in
English, but sometimes that's not an option.

~~~
Osmium
Thanks for this – I really appreciate the insight. That changing-input lag
sounds like an absolute nightmare.

Since I left my previous comment, I came across some Apple presentations on
new work they've been doing in iOS 9 and iOS 10 on internationalisation
including RTL and mixed-content support. It sounds like there's a lot of work
still to do, but I was pleased to see they've at least started multilingual
input sources now (in iOS 10, autocorrect can work with multiple languages
without having to switch keyboards, though I'm guessing this only works with
Latin alphabet languages for now?).

------
e28eta
I thought it was interesting that they're using Cydia Substrate to hook into
specific third-party apps for monitoring.

I wonder if we'll ever see privacy conscious apps using some sort of
obfuscation. So that every time you update your app, the attacker will have to
reverse-engineer the symbol names again.

It seems like a compile or link time tool could find method call & selector
references. As long as your app isn't calling methods using strings, or doing
something else tricky, I think it could work.

Or you could just write the app in swift. It's the Objective-C runtime that
makes it so easy to intercept method calls.

~~~
mikeash
The trouble is that nearly every app does "something tricky" because it's so
baked into Apple's frameworks. Every UI control calls methods using strings
when you interact with it. Key-value coding and observing works extract method
names from strings. Core Data uses method names to look stuff up in the
underlying storage. And these things are so easy to do that it's pretty common
for third-party code to do similar stuff. Reliably figuring out which methods
were safe to change would be really tough.

------
eggy
Unless you are a high-value target, Apple's security seems fairly sufficient
for normal use (I have Android ;)). Companies like NSO Group that state that
they play both sides without any moral compass seem like a great target for
Anonymous or others. Imagine the client list, and banking information as a
trail to blaze!

~~~
_nedR
This guy seems to be quite the high-value target to warrant 3 zero-days, on
ios no less.

edit: What platform would be recommended, if you happen to be a high value
target though. Using iOS at least seems to raise the cost of infiltration
significantly judging by this
[http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppin...](http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-
for-zero-days-an-price-list-for-hackers-secret-software-exploits/).

~~~
namero999
The other dimension to keep in mind is time. Governments can just cash out
whatever {Vupen|Zerodium|rogue researcher} ask for, and get a 0-day for any
major platform waiting there to be sold. Any obscure, probably less-secure
platform has surely gone through less research and time becomes key: probably
there will be no time to develop an exploit within your operational window.

------
Jerry2
How does one monitor the infection of an iOS device and how do you capture and
store all the stages of an infection?

I've never done any reverse engineering so I'm not sure how you'd go about
recording what an infection like this does to your device...

------
matt_wulfeck
He wasn't hacked, he was being "lawfully intercepted"!

Just kidding. The difference here is that a government doesn't want to do such
as provide reasonable suspicion or go publicly in front of a judge.

------
maglavaitss
So, basically three things to notice:

1\. never click on links in e-mails. 2\. if you're targeted by a nation state,
you're screwed. 3\. everybody is vulnerable to rubber-hose cryptography.

------
Tepix
It's curious that Signal was missing in their list of apps that can be
intercepted. Are the targets not using it? Or was it just not mentioned?

------
metafunctor
Is there any way to check if an iOS device has Pegasus installed, without
installing and registering for the Lookout app?

~~~
e28eta
Sounds like an exploited device should be jailbroken, you could try running an
unsigned binary (if it's easy to find & install one - I'm not sure).

I believe the article also says it disables the auto-update mechanism. So if
you've seen an auto-update prompt recently, your odds are better.

The background audio recording must be terrible for battery life.

~~~
startling
(From the lookout paper): "In order to maintain its ability to run,
communicate, and monitor its own status, the software disable's the phone's
'Deep Sleep' functionality."

------
abecedarius
I have an iPad 1 which long ago was left behind by upgrades. It'd be nice to
know when the vulnerabilities were _introduced_ too. Should I stop doing
anything networked with it?

~~~
mikeash
I would definitely not trust it, at the very least. Even if this particular
vulnerability didn't exist for it, there are bound to be many others that did.

------
dboreham
"we did not have an iPhone 6 available for testing"

Big budget operation!

~~~
ceejayoz
It's a human rights lab at an academic institution. Small budget is hardly a
shock.

Somewhat hilariously, they appear to be funded in part by donations from
Palantir.

------
chenster
I think NSA is trying to acquire them.

------
okket
[https://citizenlab.org/2016/08/million-dollar-dissident-
ipho...](https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-
day-nso-group-uae/)

    
    
      > Alarmingly, some of the names suggested a willingness on
      > the part of the operators to impersonate governments and
      > international organizations. For example, we found two
      > domain names that appear intended to masquerade as an
      > official site of the International Committee of the Red
      > Cross (ICRC):  icrcworld.com and redcrossworld.com.

~~~
bgentry
This is a much more informative source. Moderators may want to merge
everything into this story:
[https://news.ycombinator.com/item?id=12360714](https://news.ycombinator.com/item?id=12360714)

 _Edit:_ that story is now flagged as dupe, can we at least get the URL
changed to this much more in-depth article?
[https://citizenlab.org/2016/08/million-dollar-dissident-
ipho...](https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-
day-nso-group-uae/)

~~~
dang
Yes. Done.

~~~
bgentry
Thanks!

------
landr0id
This is off-topic but at first I thought I was on a Spotify blog page. Lookout
has _very_ similar branding.

~~~
landr0id
lol downvotes, ok hn. My initial reaction was "this is crazy Spotify found
something like this", which was why I commented.

~~~
joecool1029
It's ok. I thought the same thing. You're not the only one.

------
themihai
<< Instead of clicking, Mansoor sent the messages to Citizen Lab researchers.

The story is great but I really doubt this. I'm wondering what made him
suspect the link? Does he send all the links he receives to Citizen Lab?

~~~
revelation
Yes, who doesn't click on random links received from unknown numbers over (get
this) SMS?

Some people.

~~~
jessaustin
Yeah that's almost dumb enough to indicate that this whole thing has been a
cat's paw. Burn an old vuln, get everybody riled up about it, but distract
them from looking for the sophisticated things you're doing when you actually
want to spy on a troublesome subject.

