Hacker News new | past | comments | ask | show | jobs | submit login

> An untethered stealth jailbreak that installs without user interaction from a webview, that's almost as bad as it gets. And for iOS 7.0.0 - 9.3.4 inclusive. And with exfiltration of audio, video, whatsapp, viber, etc etc. So thorough and so bad :-/

Short of being triggered completely in the background by an UDP packet, what's worse than this?




Chaining this with some form of SMS/MMS bug (a la Stagefright) would make this unbelievably powerful. That's essentially the worst case scenario I can imagine for mobile security.


Or this, from the detailed writeup linked elsewhere on this page:

> To use NSO Group’s zero-click vector, an operator instead sends the same link via a special type of SMS message, like a WAP Push Service Loading (SL) message. A WAP Push SL message causes a phone to automatically open a link in a web browser instance, eliminating the need for a user to click on the link to become infected.

It goes on to say that messages of this type are increasingly restricted by service providers and newer phone OSes, but that's still pretty horrifying to read.


Wow this WAP Push SL thing seems egregious. It's understandable that somebody thought it would be useful, for like five minutes. But how could a standards body or any of the several different OS companies who have implemented it not have realized how monumentally unwise it is to just automatically run shit that randomly gets sent to a phone?


Not everything that supports WAP has to be a phone. It could also be a standalone device, or sensor, or whatever. And with WAP push you can control it.

For me the strange thing is that it is on by default on user phones.


This stuff was all designed by European mobile operators (many of them monopolies) in the mid-90's. Not exactly a peak period for security thinking.


I wonder if it can be triggered from the webview it automatically pops up when a captive wifi portal is accessed. Needs proximity to the user, but still straightforward.


If the attacker controls the wifi, he doesn't need to put it in the captive portal page; he can intercept any non-secure http page and put his exploit there.

You really shouldn't connect to untrusted networks at all if you want to be safe from this kind of attack.


Likely. Then again, good opsec would imply that you don't join untrusted networks, period.


When your service provider is owned by the state, all you can rely on is the OS provider.

Maybe we should all just go back to carrying dumbphones.


That's presuming you have more faith in your desktop/other computing systems to be safe in the long run.

Personally, I'd take iOS over any alternative, if security was my biggest concern.


I can recommend you to try qubes OS.


Anybody know if and what limitations iOS and/or Android put on WAP Push SLs?


it likely doesn't have persistence due to secure boot chain, so it could get worse.

or attacks against Secure Enclave.


It does have reboot persistence. That's what untethered usually means.


yeah, I'm wondering if it's re-exploit on boot or actual subversion of the OS though


What's the difference? :)

It's explained in detail here: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegas...

Apparently it overwrites a system binary that's launched on boot with another apple-signed binary "jsc" (a console javascript interpreter), which will evaluate some sort of .js that re-exploits everything. Pretty clever to re-use apple-signed binaries for nefarious purposes. (The binary must be apple-signed because when booting the kernel isn't exploited yet and so it enforces code signing, obviously).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: