
'Karma': A hack used by the UAE to break into iPhones of foes - MrMetlHed
https://www.reuters.com/investigates/special-report/usa-spying-karma/
======
zaroth
Whether or not this hack was developed with the help of Apple (a “backdoor”)
or by a third-party exploit, this is exactly what a “golden key” looks like
after it gets in the wild.

An espionage tool developed by a major world power proliferates to
totalitarian regimes, aided and operated by ex-NSA agents on the payroll, to
compromise human rights activists and the political opposition.

If ever there was proof that our devices need to be striving — constantly
striving — for absolute security, and can never allow any “trusted party” an
authentication or encryption bypass, this article is it.

An exploit like this is incalculably valuable to intelligence agencies. That
the exploit would proliferate is undeniable. And the ends to which it would be
(has been) used is atrocious.

Probably the only thing different about how intelligence agencies exploited
this, and how they would exploit a golden key, is that with the golden key
they would be sweeping up every photo on every device, and not just some
photos on some devices.

 _“It was like, ‘We have this great new exploit that we just bought. Get us a
huge list of targets that have iPhones now,’” she said. “It was like
Christmas.”_

~~~
FakeComments
I disagree with the conclusion of absolute security — it won’t happen, and
only encourages subversion by people who both need and have a right to access
the content.

Instead of pontificating, the tech industry should innovate.

There’s no reason that hashchains can’t be used to timelock the key, and the
enclave export it in response to a signed request. Then we can at least force
the compromises through the legal system _and_ require effort to reverse the
hashchain. That kind of court authorized targeted access removes the incentive
(and justification) for other actors to more deeply compromise the system. In
turn, this let’s us provide more security, in practice.

What’s not going to sell, and what the tech industry needs to get over is
“lulz, it’ll impossible to intercept military or terrorist information because
I need absolute privacy for my saucy emails”. I think it’s been empirically
demonstrated that won’t happen.

Be part of the solution.

~~~
syn0byte
Wouldn't the police have a "right" to know if a person has any weapons?
Detaining everyone and performing a full cavity search for any and all
infractions is just the police exercising their "right" to such information.
Will you be the first to bend over and spread for the cops "right" to peace of
mind?

"That it is better 100 guilty Persons should escape than that one innocent
Person should suffer, is a Maxim that has been long and generally approved."

~~~
LeifCarrotson
> "That it is better 100 guilty Persons should escape than that one innocent
> Person should suffer, is a Maxim that has been long and generally approved."

I wonder if that maxim is still generally approved. It seems like some
authoritarians would prefer that 100 innocents would suffer than one guilty
person should escape.

I suppose it depends how you define "innocent" and "suffer". Under modern law,
everyone is guilty of something. And while we might not require suffering in
prison, a little suffering of expensive legal fees, invasions of privacy of
your digital data/at the border/in the airport, or searches and seizures of
property by police in your car are commonplace.

~~~
AnimalMuppet
I think, even in places that believed the maxim, 9/11 changed the calculation.
Now the question is: How many innocent people should be jailed in order that
3000 innocent people not be killed?

Mind you, I'm not saying it's _right_. I'm just saying that this is how the
authorities are thinking.

~~~
Scoundreller
Or how many billions of hour-lives should we steal a minute or hour at a time
from to save X lives?

------
pizza
If the US government gives itself the right to install backdoors / exploit
vulnerable software (as opposed to notifying companies about vulnerabilities)
then I feel pretty uncomfortable about ex-government hackers just becoming
freelance mercenaries using knowledge they may have gleaned from those ops
once they move onto their next gig.

I can't think of a great solution to this problem.

~~~
cryptonector
You can make it illegal for ex-NSA employees to use their knowledge of
exploits learned while on the NSA payroll. It may well already be the case for
all I know.

~~~
acct1771
Perfect. Then, just hope people follow rules.

~~~
smolder
Sometimes you have to disincentivize behavior with prison time and things like
that and then hope people don't do it. Trying to prevent some crimes ahead of
time is a recipe for dystopia.

~~~
AgentME
In this case, "trying to prevent some crimes [of government employees leaking
the golden key]" possibly means "don't make a golden key that lets governments
freely hack everyone", which is generally being regarded in this thread as the
non-dystopian result.

------
mont
I realize it's a really sexy headline, but I'd like for there to be more than
0 proof that this is a real thing. Especially if they claim a vulnerability
that's exploitable by only sending a text.

~~~
swebs
This article doesn't cite sources, but the other one cites Lori Stroud, a
former developer of the application.

[https://www.reuters.com/investigates/special-report/usa-
spyi...](https://www.reuters.com/investigates/special-report/usa-spying-
raven/)

~~~
ganoushoreilly
Lauri did not develop the program. She was an solely an intelligence analyst.

------
air7
I think that the idea of out-of-the-box privacy/security against even a semi-
competent adversary on any computer (especially a mobile device) is completely
fictitious, and these hack stories play an important role in helping people
realize that.

Consider the thousands of people around the world that are involved in making
phones in design, hardware, software, manufacturing, signal providers,
platform providers, app writers to name a few. Any of them could be malicious
actors or accidentally introduce exploitable bugs. The idea that such a
complex stack can shield you from very smart and resourceful people that are
actively trying to peek though is not reasonable. Everyone, especially people
that are "annoying" to powerful entities (corporate or government), should
_assume_ that everything they do with their mobile phone is accessible to the
people they hope it isn't.

~~~
graeme
That a good, cautious stance. That said, thus may not be a good example of it.

We don't know the imessage bug, but a big one was patched in ios 9.3.3,
released July 18, 2016. Meanwhile, the article says this exploit got a lot of
people in 2016/2017.

So, presumably simply updating software would have protected a lot of the
victims in this case.

The higher up in adversary skill level you go, the less this works. But up to
a reasonably high level simply having up to date software thwarts most
adversaries, no? And conversely, if you have very out of date software, even
incompetent adversaries can break in.

------
trhway
>A team of former U.S. government intelligence operatives working for the
United Arab Emirates

no non-competes? So, when Snowden tells to public about mere existence of NSA
hacks - it is a crime, yet when an intelligence operative brings his NSA and
the likes sourced detailed technical knowledge to a foreign government - that
is kosher.

~~~
java-man
welcome to reality

~~~
YayamiOmate
Now imagine what's going to be possible in Australia with their compulsory
surveillance laws...

Though, I wouldn't be super surprised if they banned people they forced to
implement exploits from leaving country =X

~~~
java-man
I take a more pessimistic view. We should think that all this is already being
done, just not acknowledged.

------
DGAP
No one read the other Reuters article on this - it may have been criminal for
NSA employees to participate in this, at the very least it was highly
discouraged. If anything this is a good argument to pay IC employees on the GS
payscale better so they're less likely to take jobs with other countries.

~~~
ganoushoreilly
Large govt. contractors and sub companies run this and all the other programs
like this. There is tacit approval for these ops. I'd even imagine there's a
bit of intel being fed back to them from the new _employees_.

~~~
DGAP
"The FBI is now investigating whether Raven’s American staff leaked classified
U.S. surveillance techniques and if they illegally targeted American computer
networks" [1]

It's still illegal to use US classified information for a program like this
and it's still illegal to target American citizens or networks.

[1] [https://www.reuters.com/investigates/special-report/usa-
spyi...](https://www.reuters.com/investigates/special-report/usa-spying-
raven/)

~~~
ganoushoreilly
I didn't say it wasn't, I simply said all of it could be encompassed by the
specific clause of "TTP's" that is common in anyones read on-off of
information. The difficulty becomes in proving what was _classified_ and what
wasn't when it comes to techniques and procedures. If you were to use a
liberal sense of the term, many of your "Security Professionals" deploying
their skills around the US right now would be in violation. It's why there
isn't a simple non-compete / non-authorization of future work within that
field, it's just not going to stand up in court.

It's all as clear as mud and in this instance the government was more than
aware of their former employees working there, many returned and went back to
their prior careers.. think about that one for a second.

------
mschuster91
To expect citizens to revolt against their _own_ country and force their
"secret services" to not endanger public security any more by using and buying
such 0days is one thing - that's unrealistic.

But seriously, I wonder why _other_ governments and their citizens are not
demanding drastic actions, like trade suspensions, expulsion of diplomats or
other sanctions, when other countries get caught in such ways of spying or
otherwise just screwing all over human rights. This one would be a perfect
example to take a stand on - UAE is far smaller in oil trading and political
importance than e.g. Saudi-Arabia.

Or why there seems to be next to zero public funding for providing open
source, auditable hardware and software that could _prevent_ such spying in
the first place? The European Union could easily fund the development of a
truly FOSS Android-based phone, down to the processors. Instead everyone seems
to rely on Chinese or American products, which are both subject to non-
European influence (in the US via NSLs, in China due to the massive influence
of the Party on any major company).

------
renholder
IA link[0] for people who get "Page Not Found", trying to visit from Europe.

[https://web.archive.org/web/20190130135641/https://www.reute...](https://web.archive.org/web/20190130135641/https://www.reuters.com/investigates/special-
report/usa-spying-karma/)

------
cs702
_> Three former operatives said they understood Karma to rely, at least in
part, on a flaw in Apple’s messaging system, iMessage. They said the flaw
allowed for the implantation of malware on the phone through iMessage, even if
the phone’s owner didn’t use the iMessage program, enabling the hackers to
establish a connection with the device. To initiate the compromise, Karma
needed only to send the target a text message — the hack then required no
action on the part of the recipient._

Has anyone here heard about or is familiar with this malware?

~~~
pjc50
I wonder if this is
[https://www.theguardian.com/technology/2016/jul/22/stagefrig...](https://www.theguardian.com/technology/2016/jul/22/stagefright-
flaw-ios-iphone-imessage-apple) again, the article mentions 2016.

~~~
meowface
Seems like a likely candidate.

------
cfv
I can't help but giggle at the thought of Emirati hackers. For whatever reason
my mind can't wrap around the fact that an extremely religious people can also
be at the high end of tech (at the very least high enough to figure out 0days
and such).

Does anyone have any info on since when this has actually been like this? I'd
like to look up how their CS education works and that kind of stuff.

~~~
steve19
There are plenty of religious people in Hacker News. I have no idea why you
would think being religious or spiritual would prevent anyone from developing
technology.

My religious views do not stem from a lack of intelligence or education.

~~~
cfv
Not even talking about intelligence here. Sorry. That's an endless time waster
I'm not touching.

As mentioned, for whatever reason, I'm having a hard time picturing how people
who deem apostasy punishable by death can also manage, research, and exploit
modern equipment, and am looking for some indication as to when exactly did
they start getting good at it.

------
cyphunk
Overlooked: the apathy required to become techno-mercenaries started with the
agents convincing themselves that spying on nationals was different than
foreign nationals while working in the NSA. To resist this apathy cyber
intelligence agents working for any government/corporation should deploy a
moral compass that assumes they are working for the UAE.

This also begs for international conventions. New international conventions
would provide a psychological back-stop against the infosec industry's
unchecked nationalism. When an agent asks themselves "is what I am doing okay"
international convention and law would give them an alternative to compare
with other than the militarist default of "yes".

------
taurath
Sorry for slight meta, but does anyone know why this 323 pt 8 hour old story
is near the top of the front page, while the 6 hour old 639pt story on apple
blocking FB's certs is on the 2nd page?

------
tlrobinson
> and former American intelligence operatives working as contractors for the
> UAE’s intelligence services

At what point does this become considered treason?

~~~
bradleyjg
_Treason against the United States, shall consist only in levying war against
them, or in adhering to their enemies, giving them aid and comfort. No person
shall be convicted of treason unless on the testimony of two witnesses to the
same overt act, or on confession in open court._

------
TLC555
You have an agency like the NSA with scores of genius mathematicians and
hackers and a black budget. There's nothing beyond their means, spying wise.

I suspect that one day our internal thoughts and feelings will be under
constant mass surveillance, Minority Report style, but it won't look like sci-
fi when it happens.

------
neom
Am I the only one who feels like every time we get news of a government
compromising an iPhone through some mystical exploit, the technology around it
seems very fanciful?

~~~
mont
Like an exploit where all you need to do is enter the target's phone number to
compromise their phone?

~~~
zaroth
TFA says they need to send the target a text message.

The exploit must be something like a buffer overflow in iMessage. Which we
know bugs like this have been fixed. Remember the text of death which could
crash any iPhone from a couple years ago?

~~~
brobinson
Are you thinking of the "Stagefright" bug that did RCE via SMS on Android
devices? Or maybe the Chinese censorship code that crashed iOS when people
sent the Taiwanese flag emoji? 🇹🇼

~~~
jeroenhd
Don't forget the Stagefright-like bug in iOS where a malformed TIFF file could
lead to remote code execution!

------
jradd
I read this as: "class of netizens who use iphone, targeted by scandal or bad
actor" poignantly titled 'Karma.'

------
cronix
While I find this absolutely disgusting and horrifying, at the same time I
hope this becomes extremely widespread and rapidly. This needs to happen to
Americans. Only then will we, the collective we, wake up and actually do
something and maybe start to take privacy and security seriously.

I am rapidly becoming anti tech, as I think I can clearly see where this is
all going. That's hard for me to say, as my whole life has been tech focused.
I'm 47 and started coding when I was 10. My whole life centers around it, and
always has.

Hitler, Stalin and Mao would have absolutely loved to be alive today and have
these types of tools. Maybe we need another 100M deaths to see what this kind
of information and power leads to. We are recording everything we do
digitally, all to be easily analyzed by whomever comes to power at some future
point of time, where the rules might be different. Most of what is recorded
about us we don't even know. It will also be easier to find all of the
relatives, so they can be killed off too. They like to make examples and
ensure no one steps out of line. They don't just kill you, they kill 1-2
generations of your family.

This data won't go away. Ever. They will know who likes what, who supports
what, etc. Just a keyword search away from getting a list of names and
addresses. We think we are so clever. We are building our future jail. For the
first time in history, we have the ability to track every single minute detail
about a persons life from birth til death, in extreme, high resolution which
grows by the day. I don't just know you went from point A to point B. I know
the exact route you took, how long it took to complete each segment, how long
you stopped at each place along the way, what those places were, etc. That's
just gps data.

I saw the 60 Minutes piece on PlanetLabs recent launch of 300 satellites.
They're taking pics of the globe in very hi resolution, constantly. Better
than some of our spy sats. Oh, and anyone can access that data. It's free!
They showed how they were able to go back in time to when the compound that
Osama Bin Laden killed in was built. They were then able to create a very
accurate model of the compound which led to the raid that killed him by going
so far back in time to when they started building the thing. Obviously we
think that's a good thing because it led to a mass murderers death, but think
about that technology.... recording everything 24/7, globally, going back
years in time to reconstruct something that happened in the past...
[https://www.cbsnews.com/news/private-company-launches-
larges...](https://www.cbsnews.com/news/private-company-launches-largest-
fleet-of-satellites-in-human-history-to-photograph-earth-60-minutes/)

------
KangLi
What about Dragonfly? Is it also assisted by the government? It is censored
but it sounds like a rat trap.

------
DyslexicAtheist
TL;DR: the US attitude ...

    
    
      *It’s fine to spy on human rights activists with all the powers of government as long as they’re not American* 
    

... really gets to the heart of how the US treats the rest of the world. The
US is the biggest terror threat in the world today. Its pains are self
inflicted and it's enemies created by their very own foreign policy.

~~~
module0000
>> ... really gets to the heart of how the US treats the rest of the world.

Really gets to the heart of how the ruling 0.0001% of the US treats the rest
of the world. Fixed that for you. Some of us just live here.

~~~
DyslexicAtheist
yeah I actually thought it would be clear as crystal that when I speak of the
crimes committed here we're not talking about those that pay their taxes, and
struggle to get access to health-care ... Most are themselves immigrants so
how on earth would anyone suggest it's the ordinary citizen here that's
guilty[0]. I do acknowledge that my comment was "un-American" (not that I give
a hoot).

[0]
[https://en.wikipedia.org/wiki/The_Untold_History_of_the_Unit...](https://en.wikipedia.org/wiki/The_Untold_History_of_the_United_States#Critical_reception)

------
cyphunk
Taking the sources of the article on their word...

They said the tools use faded in late 2017 due to apple patches and that
compromise required only sending a text message. Examining CVE's up until late
2017 may give more of an idea of how this tool worked. Judging from a cursory
review, there are many remote code exploits so it would be hard to narrow
down. But this is what I chose to look at when considering CVE's between Jun
2017 and Dec 2017 that could effect iMessage. Many of these are classified as
Denial of Service bugs but often those can be extended to code execution with
extensive research.

IOKit [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-13847)

IOMobileFrameBuffer [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-13879)

CFString [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-13821)

CoreText [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-13825)

CoreText [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-13849)

Fonts? [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-13828)

ImageIO [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-13814)

Messages [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-7118)

SQLite [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-10989)

SQLite [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-7128)

SQLite [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-7129)

SQLite [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-7130)

SQLite [https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-20...](https://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2017-7127)

Kernel: too many to count

These were compiled by reviewing the apple security mailing list
[https://lists.apple.com/archives/security-
announce/2017](https://lists.apple.com/archives/security-announce/2017)

