
Journalist’s phone hacked: all he had to do was visit any website - vezycash
https://www.thestar.com/news/canada/2020/06/21/journalists-phone-hacked-by-new-invisible-technique-all-he-had-to-do-was-visit-one-website-any-website.html
======
cycomanic
I think the developer community need to start ostracising people working for
these companies. Don't hire former employees, don't hang hang out with people
who work for these companies and conferences.

Don't supply services to these companies (build their website, network...).

I believe by letting people of the hook for participating in this (similar
things can be said for e.g. the NSA) we are essentially endorsing the
behaviour. If you work on at e.g. NSO group, you are personally responsible
for governments surpressing and even killing (just look at SA) critics

~~~
aronpye
Ostracising someone from society solely on where they work without looking at
their actual actions is implying guilt by association. A tactic often used by
authoritarians. Everyone in a civilised society has the right to a fair trial
without the presumption of guilt.

~~~
XMPPwocky
Finally, somebody's brave enough to say the truth!

I've been helping with some work for a small local gang- we do the usual
(murder-for-hire, "debt collection", extortion, etc). Although I only do
administrative work - keeping records and such. Pays great. But you know what?
My wife- my wife of five years- left me when she found out.

Can you believe that? What a fucking fascist. I didn't do anything wrong. I
never killed anybody. And, sure, I did also help machine firearms for folks,
and I did help with some supply chain issues to make sure we have a reliable
supply of bullets, but I never shot anyone. Not one person.

How _dare_ anybody discriminate against me?

~~~
dijksterhuis
Unclear whether this is legit, or if you're being facetious to demonstrate a
point. I'm gonna bet on the latter, seeing as this is HN!

You _intended_ to supply a local gang with guns and ammo to earn profit from
it, along with the other actions you took. You purposefully set out to profit
from their criminal behaviour in full knowledge of what that entailed.

I'm not surprised your wife left you. Good on her.

Here is a circumstance where your point is not valid, where there is no
malicious intent:

\- Developer A in dept X finds out developer B in dept Y is working on Z. Is
uncomfortable with anything to do with Z.

\- Dev A raises this with line manager C and gets pushed back.

\- Dev A tries to raise this up higher. Gets push back.

\- Dev A decides to leave the company because the workplace has now become
increasingly hostile.

Dev A tried to do the right thing and raise up the fact that project Z was
unethical. By presuming guilt by association, Dev A is treated exactly the
same as Dev B.

Consider engineers at Google. Did every Google engineer work on project
dragonfly? Did every engineer know about it until it was leaked to the press?
Do the project zero team work on ad tracking?

Bringing it back to your example now. If you were an accountant for a printing
shop that just happened to be a front, but you never knew about it or
suspected it, that's another story. There's no intent to profit from or
knowledge of the criminality. Now you're an innocent bystander who was taking
advantage of.

If your wife left you in this situation, I'd feel for you.

This is why we presume innocence until guilt is proven. I, for one, would
rather some guilty people slip through the net of justice if it helps us to
not habitually punish innocent people for crimes they did not commit.

The world is not perfect, nothing is ever black and white.

~~~
bobthechef
Facetious? Whatever gave you that idea?

Anyway, we can evaluate the permissibly of moral actions using the principle
of double effect. As you suggest, we do not always have the luxury of choosing
courses of action without some kind of negative side effect. At the same time,
it is not morally permissible to engage in intrinsically immoral acts (sorry,
utilitarians/consequentialists) nor is it permissible to intend the evil
effect. We may also not use the evil effect as a means of attaining the
desired good. Finally, there must be a proportionality between the good and
bad effects that justifies the toleration of the bad effect.

~~~
leotaku
I am genuinely confused by your comment. Are you, again, being facetious or
are your arguments just bad?

> it is not morally permissible to engage in intrinsically immoral acts
> (sorry, utilitarians/consequentialists)

How would anyone define an intrinsically immortal act? It seems dishonest to
discard well-established schools of thought while ignoring the very premise
that makes them relevant.

> We may also not use the evil effect as a means of attaining the desired
> good.

> Finally, there must be a proportionality between the good and bad effects
> that justifies the toleration of the bad effect.

These two statements directly contradict each other.

------
nsajko
The Citizen Lab reports (one linked from this article) about the Israeli NSO
Group's Pegasus spyware have been _really_ scary for a few years now already.

This is a frightening 8-part series about the abuse of "Pegasus" in Mexico
2017-2019: [https://citizenlab.ca/2017/02/bittersweet-nso-mexico-
spyware...](https://citizenlab.ca/2017/02/bittersweet-nso-mexico-spyware/)

Here's a category of articles on the citizenlab.ca web site described as
"Investigations into the prevalence and impact of digital espionage operations
against civil society groups":
[https://citizenlab.ca/category/research/targeted-
threats/](https://citizenlab.ca/category/research/targeted-threats/)

~~~
fortran77
NSO Group is owned by Novalpina Capital, a British company.

~~~
alasdair_
>NSO Group is owned by Novalpina Capital, a British company. Wy do you call it
"Israeli?"

I assume because it was founded by three Israeli citizens, in Israel, and the
HQ and staff almost all work near Tel Aviv.

And while Novalpina Capital provided funding, that was only in a partnership
with two of the original founders, as a buy-out.

~~~
jacobwilliamroy
Buying something is the same as making it yourself right?

~~~
alasdair_
>Buying something is the same as making it yourself right?

No.

And I didn't claim anything of the sort.

------
hn_throwaway_99
I saw this discussed on reddit, and I was surprised that there was so much
confusion about how this happened. It wasn't just "network injection" \- quite
clearly (unfortunately very poorly described in the article) there was a
vulnerability in iOS/Safari that allowed remote code execution; network
injection alone wouldn't have been enough. Does anyone know what the CVE was
that allowed this?

~~~
roblabla
A code execution vulnerability isn't enough. To work on truly any website,
they need:

\- A remote code execution vulnerability. There are almost certainly multiple
vulnerabilities at play here, since long gone are the days where a single vuln
gave arbitrary code execution.

\- a way to bypass the encryption/https, unless the remote code execution was
on a layer before encryption (which seems unlikely). EDIT: Apparently the hack
only works on non-encrypted websites.

\- Once remote code is achieved, they most certainly need a way to elevate
privileges in order to make the hack more persistent and tap into other apps.

There are most likely several CVEs at play here. The amount of effort that
went into this hack is, frankly, terrifying.

~~~
ringshall
> "There are almost certainly multiple vulnerabilities at play here, since
> long gone are the days where a single vuln gave arbitrary code execution"

Could you go into this in a little more detail?

I'm inferring that chains of vulnerabilities are needed to go from some
starting point to arbitrary code execution. Is that correct?

Have efforts to secure computer systems over the past ~2 decades succeeded, at
least in that much more effort needs to be invested in order to get to the
point of arbitrary code execution?

~~~
roblabla
For the most part, yes, it's much harder to get ACE today than it was 20 years
ago, and even then ACE doesn't actually grant you any fancy capabilities on a
modern phone.

To get ACE, you will generally need a couple of primitives, such as an
ArbR/ArbW coupled with an infoleak to get ROP. This will allow you to execute
arbitrary code, but you're still stuck within the confines of the current
process' privileges. Phone apps are generally heavily sandboxed, and the web
browsers tend to be sandboxed even harder. Having ACE in some arbitrary
process won't give you the ability to do anything: filesystem will still be
out of reach, most of the time you won't even be able to see other processes
or even make network requests. So you'll need to break the sandbox.

Breaking the sandbox tend to involve looking for an RCE in a process outside
the sandbox that you can communicating with over an IPC channel. And you'll
likely need to do this twice: once to break free of the browser sandbox, and
once to break the "App" sandbox. If we take a look at chrome for instance
(which is very well documented[0][1]), they have sandboxing mechanisms built-
in to disallow access to most resources (like the filesystem) to most of its
processes, and to prevent access to most of the kernel API surface. And then
Android further sandboxes all apps to disallow them from accessing each-
other's data. So again you'd have to find another bug somewhere to bypass
this.

There are tons of mitigations techniques being developed to make bugs harder
to exploit, from Pointer Authentication (making it much harder to exploit
ArbR/ArbW bugs) to Control Flow Integrity (making it much harder to create a
ROP chain). Of course, not all apps actually have those mitigations in place,
but the web browsers tend to enable most, for instance chrome has CFI
enabled[2].

[0]:
[https://chromium.googlesource.com/chromium/src/+/master/docs...](https://chromium.googlesource.com/chromium/src/+/master/docs/design/sandbox.md)

[1]:
[https://chromium.googlesource.com/chromium/src.git/+/master/...](https://chromium.googlesource.com/chromium/src.git/+/master/docs/linux/sandboxing.md)

[2]: [https://www.chromium.org/developers/testing/control-flow-
int...](https://www.chromium.org/developers/testing/control-flow-integrity)

~~~
erikmolin
Would you mind expanding the acronyms? This is super interesting, but hard to
follow (and also somewhat hard to google, apparently Arbr is a bike brand)

~~~
iudqnolq
Guessing partly, but maybe ArbR = arbitrary read, ArbW = arbitrary write, RCE
= remote code execution, IPC = inter process communication.

~~~
pbhjpbhj
ACE arbitrary code execution

RCE remote code execution

ROP return-oriented programming, which I understand to be using code already
on the target and manipulating code flow in order to piece together the boots
of programme to execute a routine of the attackers choosing (like cutting
letters out of a newspaper to make a ransom note!),
[https://en.m.wikipedia.org/wiki/Return-
oriented_programming](https://en.m.wikipedia.org/wiki/Return-
oriented_programming)

------
christofosho
On HN I've seen a lot of unencrypted sites lately. I don't personally feel
comfortable browsing on them, so I avoid them. Near the end of the article
here, it mentions that this is only possible on an unencrypted website. Is
there a reason why so many people are not encrypting their websites? Even
browsers seem to have picked up on the insecure nature of http. Please correct
me if I'm wrong here, I just find it very strange how many links I've
inspected only to see a lack of TLS/SSL.

~~~
Swizec
I've seen this improve a lot in recent years with Let's Encrypt, so that's
been a great trend.

LE is still tedious as heck to set up on your own, though, so I guess people
who haven't migrated to modern hosting yet are still being left behind. Most
hosting-for-devs platforms these days give you HTTPS by default and don't
think would even let you host a website without.

~~~
user1980
Tedious to set up, tedious to maintain.

January 31 of this year I got an email telling me that my LE client used the
older ACMEv1 protocol, not the newer ACMEv2 protocol. They gave me 4 months
notice to update my LE client to something compliant. I burnt the time and did
the work.

On March 3 myself and many others[0] got an email demanding that we manually
re-issue our certificates because of a vulnerability discovered in the LE
service. They gave us one day to comply, after that they would revoke the
certificates and our users would receive security errors. I begrudgingly went
through all my servers and issued the command to forcibly renew certificates.
Not a huge burden for me, but likely a bigger burden for larger operations.

As the feature set grows (new challenge types, wildcard support, etc.) and the
service gets even more popular, it's going to be an even bigger target and the
effects of a monoculture will really be felt. I'm starting to see the value in
paying for certificates, and more specifically, using providers that don't
provide a public certificate issuance API (or at least stick it behind a
paywall.)

How many times would LE have to accidentally issue gstatic.com or fbcdn.net
before they get the Symantec treatment[1]? Too big to fail: It's not just for
investment banks. And that should give anyone seeking a decentralized internet
pause.

[0]: [https://www.zdnet.com/article/lets-encrypt-to-
revoke-3-milli...](https://www.zdnet.com/article/lets-encrypt-to-
revoke-3-million-certificates-on-march-4-due-to-bug/)

[1]: [https://www.zdnet.com/article/mozilla-warns-it-plans-to-
dist...](https://www.zdnet.com/article/mozilla-warns-it-plans-to-distrust-all-
symantec-chained-certs-in-october/)

~~~
inetknght
> _How many times would LE have to accidentally issue gstatic.com or fbcdn.net
> before they get the Symantec treatment[1]? Too big to fail: It 's not just
> for investment banks. And that should give anyone seeking a decentralized
> internet pause._

I agree that some problems are unfortunate. But let's contrast for a moment.
LetsEncrypt has demonstrated track record of quickly fixing issues. Symantec
has a demonstrated track record of hiding issues instead of fixing them.

It's wise to consider options carefully. LetsEncrypt _isn 't_ the be-all end-
all service for TLS and your needs might not be compatible. But I don't think
it's fair to shove LetsEncrypt aside just because it's had its share of
problems.

For a _free service_ it's pretty damn reputable.

~~~
treis
It's a good service, but I think the GP's point is that it's not trivial to
do. Lots of websites probably went down because they missed that e-mail and
we've seen lots of major websites go down due to some issue related to their
certificate.

Let's Encrypt has lowered the bar, but it's still a bar that needs to be
overcome.

~~~
tialaramex
As we'd expect ISRG not only fixed the immediate problem they also accelerated
plans to ensure that any similar problem would have less serious ill effects.

In particular a current Certbot (or similar software from other developers)
will conclude that it should try to replace a certificate which has been
revoked and not only certificates that will shortly expire. So if a similar
event happened, and you missed the email, your Certbot will treat the
certificates much as if they'd expired and replace them automatically.

Also if you didn't replace a revoked certificate the thing is: Online
revocation is broken. Most of your users will not have noticed your
certificate was revoked. Popular browsers do have an out-of-band way to
enforce revocation but they didn't use it on that Let's Encrypt incident
because they felt it was low risk. So maybe some people are running Internet
Explorer (really?) or have explicitly turned on revocation, everybody else
doesn't even see a warning page.

------
inglor
Ok, so I want to make something clear to the (smart but mostly not "in-the-
know" about NSO) HN crowd.

Let's say you're a Mexican drug lord or Saudi prince. You know this tech
exists and the US/Israeli/European governments use it.

Then, you see this article, and see all the comments in the comment section
about how competent, scary and balance-changing the technology is.

Basically: I think these pieces are bought for and paid by NSO through a PR
firm, but you are not the target. When we leave comments like "NSO's tech is
so good it has to be regulated!" or "NSO's tech is dangerous!" we are playing
directly into the PR firm's clever hands.

It's like an article about how good the AR-15 or the F-35 are. Obviously to me
(and most of the readers) it's mostly "why are we focusing on technology of
death" but we are not the target.

~~~
kavalg
What you are saying makes a lot of sense. Then does it mean that the NSO
capabilities are not quite as "advertised"?

~~~
inglor
Of course, NSO and other players in that field can do much, much, much more
than advertised to the media.

Remember, the vast majority of people working for NSO worked for Israeli and
US intelligence bodies. They serve in the 8200 unit doing malware analysis
trailed by the NSA and then go work for NSO on the same sort of technology.

(If you want to get an idea of how much, I recommend "Permanent Record" but if
you don't like Snowden then check out how far ahead intelligence bodies were
_historically_ compared to public knowledge - WW2 crypto being a good analogy)

This lets the US government (and the Israeli government in turn) to make money
off the technology without going through the same international regulatory
systems.

The US government (or Israeli government) can stop companies like NSO in a
single decision but they are not since it is making them money.

It's up to us (the citizens) to pressure them to do so and to promote security
best practices and work on better tools to make it harder to breach peoples'
privacy.

~~~
kavalg
Thanks for your through reply. My question was more in line with enterprise
PR/sales. More precisely, to what extent does such a PR activity drive sales
for NSO. In my early engineering career I did enterprise pre-sales for two
different companies and we always relied on more direct touch points with
potential customers (e.g. doing seminars, workshops).

------
bvinc
Why aren't cell phone tower communications secured? Why aren't cell towers
secured with certificates verified by the network? Why aren't stingray devices
considered an attack on the cell network?

If stingray devices work by tricking your phone to connect with older
protocols like 3G, why aren't those protocols deprecated just like we
deprecate older encryption methods that are no longer secure?

~~~
numpad0
I think it has to be 2G GSM specifically, 3G UMTS do _cipher_ that kind of
holds, also a lot of phones aren’t dynamically updatable or updated
smartphones

GSM downgrade attacks as well as USB SDR gears came out late 3G era, I kind of
trust 3GPP guys for protection for LTE onwards but if GSM downgrade attacks
are your primary concern in your life you can move to Japan and get contract
on au by KDDI as KDDI flat out ignored CSFB to CDMA2000 and went all VoLTE

~~~
gruez
>if GSM downgrade attacks are your primary concern in your life you can move
to Japan and get contract on au by KDDI as KDDI flat out ignored CSFB to
CDMA2000 and went all VoLTE

Wouldn't it be easier (at least on android) to go to mobile network settings
and change it to "lte only" or "3g only"? As for using au by KDDI, I'm not
even sure whether using their SIM cards will prevent a downgrade attack. It's
possible that they still support 2g for roaming use, for instance.

~~~
numpad0
okay, I’ve mistaken, KDDI do have eCSFB to CDMA since the get go...my brain
was stuck in pre-LTE launch era. Sorry.

I’m not sure how “LTE Only” options work on every phones, moving across
countries to just make a phone behave certain way is beyond absurd but
verifying how it’s working might be a bit of challenge?

regarding roaming, you mean a fake GSM tower with backend going over a VPN to
a GSM tower somewhere the phone could roam to? That I didn’t realize. That
could happen indeed.

~~~
boring_twenties
LTE Only is an option (albeit hidden) on every Android phone I've ever used,
at least. Just enter _#_ #4636# _#_ in the dialer.

I usually have it set, and in areas that only have 3G coverage, I get no
signal unless I change the setting.

~~~
boring_twenties
Hrm, just noticed that hn ate my asterisks. Backslashes don't work, either.
Unicode to the rescue: ⁕#⁕#4636#⁕#⁕

------
shbooms
> All he had to do was visit one website. Any website.

The author directly contradicts the headline used here:

> The website must use “clear text” which means the URL starts with “http” not
> “https.”

~~~
bb88
Consider the following:

[http://google.com](http://google.com)

[https://google.com](https://google.com)

Both wind up eventually to the same place, but the first redirects to the
second.

That can be a link, it can be an old bookmark, etc.

Worse if it was a targeted ad, the [https://](https://) link could be just a
redirect back to an [http://](http://) link, something the browser probably
has no trouble doing.

~~~
dmurray
> the [https://](https://) link could be just a redirect back to an
> [http://](http://) link, something the browser probably has no trouble
> doing.

Doesn't HSTS prevent exactly this? Sure, not every website implements it, but
the most visited ones overwhelmingly do - it's certainly misleading to say
"any website" in that context.

~~~
VWWHFSfQ
doesn't the hsts header have to be delivered in cleartext the first time you
visit the site with http? so your browser knows from then on it can only ever
visit via https? the header can be removed in that initial cleartext request
so it never gets set in your browser in the first place. I don't think HSTS
works against highly targeted MITM attacks like this.

~~~
strombofulous
hsts lists ship with browsers. otherwise it'd be useless for the reason you
described

~~~
VWWHFSfQ
but that's not an exhaustive list of websites though. any website not in the
list is vulnerable to this

------
maerF0x0
As recently as Nov 2019 comcast was doing this, albeit more benign

[https://rietta.com/blog/comcast-insecure-
injection/](https://rietta.com/blog/comcast-insecure-injection/)

[https://news.ycombinator.com/item?id=21389657](https://news.ycombinator.com/item?id=21389657)

------
modeless
Worth noting that the Safari and iOS vulnerabilities that allow this to happen
are worth up to $1 million if reported to Apple.

~~~
thoughtstheseus
Maybe $1 million is not enough.

~~~
tarikjn
Does Apple allow anonymous reports/crypto payouts? There could be anti-money
laundering issues to sort out, but perhaps this could incentivize individual
actors to break ranks and leak vulnerabilities upstream.

~~~
inglor
"Break ranks"? If you work for one of these actors (NSO with intentionally
"sassy" PR or "quiet" ones like Verint or ones in the middle like Cellebrite)
and leak info - you will get jailed.

Breaking ranks in this case is a 10 year jail sentence if you get caught.

Funnily enough, the ex-head of malware analysis for NSO recently released this
[https://www.jsof-tech.com/ripple20/](https://www.jsof-tech.com/ripple20/) and
"switched ranks" to the light side.

------
pdimitar
I'm probably naive here because I'm not versed in networks -- but couldn't he
avoid surveillance by using a VPN? Wasn't one of the design features of VPNs
that your connection can't be hijacked?

~~~
vonquant
Of course, the VPN could be the one doing the hijacking.

~~~
pdimitar
Well let's assume that he f.ex. has friends in several countries to whose VPN
servers he has a direct unimpeded access (by IP, not hostname).

Would a trusted VPN help? Or would hijacking the traffic at the point of
departure (his phone / the air) still manage to corrupt the payloads?

------
rediguanayum
The article mentions NSO's Pegasus that the journalist victim downloaded, and
presumably installed surveillance tools on his iPhone. What is Pegasus? Is it
platform of browser zero days that then installs surveillance tools? Does it
root kit the phone?

~~~
olliej
It’s easy to look up, it has historically been used to spy on human rights
activists and reporters.

It’s sold by the NSO group, that has repeatedly tried to smear and spy on
organisations that report on them knowingly selling to and supporting
governments that are using these tools to attack HRAs, etc.

I assume that they have updated it since it first came to light, as the
vulnerabilities at the time were all fixed.

Note that the vulnerabilities that they use are all the same ones used by
jailbreaks, so fixing them necessarily means preventing jailbreaks.

~~~
saagarjha
> Note that the vulnerabilities that they use are all the same ones used by
> jailbreaks, so fixing them necessarily means preventing jailbreaks.

Well, unless there was a method to jailbreak your device that did not require
a chain of software vulnerabilities.

------
close04
> the Israeli company issued a policy that vowed the company would cut off
> clients if they were found to misuse the surveillance technology to target
> journalists and human rights activists

This goes right up there with "the backdoor for which only we'll have the
key".

~~~
mirkules
If a system’s purpose is to protect citizens from bad actors, it is only a
matter of time before the citizens become suspected bad actors, and the
machinery is turned against the citizens.

This is a concept that is sadly missing in well-intentioned people.

------
oska
Ironically, Firefox gave me a fingerprinting warning for the website this
article appears on. (The fingerprinting was being done by eyereturn.com)

~~~
saagarjha
Safari says this page has 21 trackers ¯\\_(ツ)_/¯

~~~
Reelin
Between uBlock Origin and uMatrix I hadn't even realized. Prior to seeing
these comments I had actually been impressed by the site's (apparent)
responsiveness combined with the (apparently) clean and mostly pain text
layout. Whoops.

~~~
oska
I'm running UBlock Origin and UMatrix too. And both of them are blocking
eyereturn.com. But because I've got Firefox to alert me to fingerprinting (not
a default option I think) I also got a little pop-up informing me that the
site was using it. Which advice I appreciated even though I was already
protected by those two earlier mentioned services.

------
atommclain
Would using something like Opera Mini have prevented this attack from
happening?

I’m imagining a proxy like tool that lets high exposure individuals to request
webpages, have them downloaded/parsed, and possibly rendered before handing
them off to the client device.

Perhaps it would let the client download https normally but switch modes for
any http requests (if I understand what happened here correctly.)

------
josephcsible
I feel like this article makes the technique sound a lot more novel/surprising
than it is. It seems like a simple case of "phone had an RCE vulnerability
that got exploited by an attacker in control of the network".

~~~
olliej
So either they had a fraudulent cert or he was using insecure sites :-/

~~~
amatecha
It's probable that they were intercepting the connection and the act of
hitting _any_ http site resulted in the redirection to an exploit payload.
Many many sites have http requests, so you can't really blame someone for
hitting a non-https site.

~~~
olliej
You're right it may not be his fault, but that is why all sites should be
https, and sites should have the hsts header set.

Essentially if you are using [http://](http://) anywhere on your site
(including transitively loaded resources) you are putting your users at risk -
the same thing was exploited with the great cannon or whatever that DoS from
the Chinese gov was called.

~~~
amatecha
Oh yeah, I agree! https should be the standard, indeed.

------
ezoe
>Yet Radi was trained in encryption and cyber security. He hadn’t clicked on
any suspicious links and...

If you were properly trained for, you should have already realized that
cellphone is not trustworthy way of communication.

------
AaronFriel
Time for everyone to install HTTPS Everywhere and turn on Encrypt All Sites
Eligible (EASE) on desktop.

On mobile, highly recommend using a browser that supports extensions or
pressuring companies to enable third party browsers. It's not overstating it
to say that our legislators should compel that competition, it's a national
security issue that journalists, intelligence officials, and the President
using devices by a certain manufacturer cannot change the browser or use
helpful extensions like HTTPS Everywhere.

[https://www.eff.org/deeplinks/2018/12/how-https-
everywhere-k...](https://www.eff.org/deeplinks/2018/12/how-https-everywhere-
keeps-protecting-users-increasingly-encrypted-web)

------
sdan
How’s this possible? Anyway this can be prevented?

~~~
clarry
> How’s this possible?

Software is insecure.

> Anyway this can be prevented?

Stop using insecure software.

~~~
sdan
This is obvious; just wondering what exactly they used.

------
deeblering4
What methods and tools are available to the average “power user” to detect and
mitigate mobile device malware?

Just reboot my phone every morning?

~~~
ReptileMan
Root some android, install obscure build, install firewall, use exotic
browser.

~~~
dredmorbius
Be fingerprinted by unique stack signature anyway.

------
elchin
Would using a trusted VPN prevent this attack, since even HTTP requests would
be tunneled through a secure connection?

------
LatteLazy
So just by being redirected, you can have root access to your iPhone taken
without warning? That sounds like an insane vulnerability. Anyone with a
security concern should immediately drop iPhone shouldn't they? I admit the
intercept process is clever, but if that's all that is needed for total
security failure, the real issue is the browser/OS.

------
rustybolt
I'd love to see a more technical explanation of the method that is used!

------
mywacaday
Would factory resetting your phone on a regular basis remove the hack?

~~~
gruez
Considering that we haven't had untethered jailbreaks in forever now, I think
even a restart would do.

~~~
aeternum
Possibly, but advanced malware like this can add many re-infection paths,
opening a safari tab might be sufficient to trigger a re-infect upon browser
launch. Many apps also make periodic background http requests, might be enough
to just hijack one of those to trigger the RCE after reboot.

~~~
Reelin
I don't think it's safe to assume that Pegasus can't manage persistence. This
isn't run-of-the-mill malware we're talking about.

------
lxe
Would certificate pinning help here?

------
MintelIE
Journalists need to take a page out of Assange's playbook and use ancient
Thinkpads and Powerbooks and use VPNs which would make this technique
obsolete.

------
mirimir
This is one reason why I don't use cellphones.

I suspect that Mr. Radi would have been safe if he had 1) used a PinePhone,
with cellular and WiFi radios turned off, and a USB-connected cellular modem;
and 2) hit the Internet through a VPN, Orchid, Tor or LokiNet.

If you think not, please share, because I hate spreading BS.

Edit: Well, someone seems to think that I'm wrong, but they aren't saying why.
Just sayin'.

~~~
bronco21016
It seems this attack exploited the browser on the device via non-HTTPS sites.
So the elaborate networking scheme really wouldn't do much. They just had to
inject their browser exploits on every non-HTTPS site the user visited. Just
because the PinePhone runs non-Android/iOS doesn't mean there aren't 0-days
for the browser it runs.

~~~
mirimir
In TFA, it says that they injected the exploit via stingray or cellular
network compromise. I'm pretty sure that better isolation of the browser and
other apps from the cellular network would have prevented that.

But yes, he would have been vulnerable to malicious sites exploiting browser
bugs, as one always is. I mitigate that by compartmentalizing activities in
multiple machines and VMs. For example, the host that this VM is running on
contains absolutely no information about my meatspace identity.

