[HN Gopher] Scanning your iPhone for Pegasus
___________________________________________________________________
Scanning your iPhone for Pegasus
Author : arkadiyt
Score : 188 points
Date : 2021-08-01 15:17 UTC (7 hours ago)
(HTM) web link (arkadiyt.com)
(TXT) w3m dump (arkadiyt.com)
| rubatuga wrote:
| You need to jailbreak to do a complete file system dump to
| actually check if you've been infected by Pegasus. This is not
| the most accurate method.
| arkadiyt wrote:
| Did you read the "Choosing your options" section of the blog
| post?
| e40 wrote:
| For me, on macOS, I had encrypted backups already turned on,
| using the Finder. So, when I did the "mvt-ios decrypt-backup" I
| omitted the "-p ..." and gave my login password. I had assumed
| that the Finder-initiated backups would use it, and it appears to
| be the case (the decryption data looks good to me).
| [deleted]
| rsync wrote:
| Isn't "Pegasus" transmitted via a well-crafted iMessage ?
|
| If only there was a central choke-point, globally, for all
| iMessage messages that could weed out particularly ill-formed
| messages such that they never reach your phone ...
|
| If only ...
| SheinhardtWigCo wrote:
| Because of E2EE that choke point is necessarily the software
| update process.
| rsync wrote:
| Ahh... right. Thank you.
|
| Wouldn't a simple block/allow list for sending IDs / phone
| numbers be trivial to implement on the iCloud (or whatever)
| side of things such that the end user could allow their known
| contacts and block (everyone else) ?
|
| Forgive me - I am not an iMessage user ...
| SheinhardtWigCo wrote:
| Apple product marketing would never sign off on that
| because it would a) confuse their messaging by signaling
| that iMessage is less safe than email, b) hurt the user
| experience for the vast majority of customers.
| arkadiyt wrote:
| Apple doesn't have access to the message content thanks to end-
| to-end encryption (technically they can have access if you
| backup your messages to iCloud, but by that point it's already
| too late).
|
| However they are working on better sandboxing to help prevent
| this class of attacks, and Google Project Zero posted an
| overview of how that "blastdoor" process works:
|
| https://googleprojectzero.blogspot.com/2021/01/a-look-at-ime...
| marderfarker2 wrote:
| In the Amnesty report there were multiple attack vectors, one
| of which is via network hijacking which involves data mangling
| by network operators. Now it begs the question whether the
| network operators were in cahoots or this Pegasus is also
| capable of infecting network infrastructure.
| darig wrote:
| So... you're curious if your phone has government sponsored
| malware on it... and the solution is to image the phone and copy
| everything over to a different computer?? Including the possible
| GOVERNMENT SPONSORED MALWARE??
|
| Don't be dumb.
| emsy wrote:
| Something like this should be available from Apple. But I guess
| they only offer privacy and security if it doesn't require
| transparency. Well as long as it makes for good marketing.
| marderfarker2 wrote:
| And here I thought iOS with its walled garden approach would
| make these kinds of attacks impossible.
| [deleted]
| whynotminot wrote:
| Walls have never been fool proof, though that doesn't mean
| building them is a waste of time.
| fartcannon wrote:
| The walls are financial, not security. The security is a
| lie.
| whynotminot wrote:
| Both can be true at once.
|
| It's actually a pretty big security win that I don't have
| to worry about what my grandma downloaded from the
| internet for her iPhone for instance, the way I have to
| worry about her laptop. Apple profits from this, and I
| really don't mind.
| cronix wrote:
| > I don't have to worry about what my grandma downloaded
| from the internet for her iPhone
|
| Yet you're ironically responding about an article telling
| how to find if your _iPhone_ has been infected with
| Pegasus, one of the worst most obtrusive security
| vulnerabilities you can have, period.
| whynotminot wrote:
| Do you think nation states who spent a fortune on Pegasus
| are going after my grandmother?
|
| I think you're missing the big picture for most normal
| people.
| marderfarker2 wrote:
| They built it so high up nobody could tell what's going on
| until you jailbreak the device.
| carom wrote:
| This is really convoluted. There is a $3 app from the App Store
| called iVerify that checks. [1]
|
| 1. https://www.iverify.io/
| karlshea wrote:
| "checks"
| dguido wrote:
| We're using most of the exact same file-based indicators as
| MVT. It's really refreshing that Amnesty shared so much of
| what they found -- it made our own process of testing our
| checks against their discoveries much easier.
| arkadiyt wrote:
| Trail of Bits hasn't shared what detections they're looking for
| with iVerify, but the app has extremely limited access to your
| device data - the device backup or full filesystem dump
| approaches will give you better detection.
| dguido wrote:
| Trail of Bits here -- while this is mostly correct, there are
| also parts of the runtime that dead file forensics won't be
| able to identify. There's no harm in doing both and, in fact,
| we'd recommend it if you're concerned.
| josteink wrote:
| Any way to check iPhones if you don't have a Mac?
| mercora wrote:
| its in the article, i had overlooked it too though...
| grav wrote:
| On Arch Linux, I installed libimobiledevice from source
| (https://github.com/libimobiledevice/libimobiledevice), as the
| newest version in Pacman didn't connect to my iPhone.
|
| I also installed usbmuxd via Pacman.
| veerabadhra wrote:
| After installing it myself, I realized the container already
| has it. You just need to give the container access to your
| USB controller
| [deleted]
| htk wrote:
| Does anyone have any info on how widespread is Pegasus?
| frickinLasers wrote:
| There's the list of targets we know about:
| https://cdn.occrp.org/projects/project-p/#/
|
| And the Guardian has some in-depth reporting going on.
| https://www.theguardian.com/news/series/pegasus-project
|
| None of this really answer how prevalent the spyware is,
| though.
| getaclue wrote:
| i think wrong question
| zepto wrote:
| What would the right question be?
| getaclue wrote:
| what isn't infected
| samatman wrote:
| These are, in fact, the exact same question.
| getaclue wrote:
| there are no wrong questions ;-)
| lambda_dn wrote:
| What if the mobile verification toolkit is Pegasus?
| quenix wrote:
| It doesn't run live on your phone--rather, you back it up using
| Apple software and then run the tool on the backup. So it never
| touches your phone directly.
| [deleted]
| kapnobatairza wrote:
| I ran this tool and found a trace that I was infected (malware
| detected in CrashReporter.plist). Any clue what I should be
| doing, if anything, to address this?
| quenix wrote:
| Wow, that's scary. Could you provide the stdout from the tool
| indicating this?
| biktor_gj wrote:
| I'm no expert, but if you ask me, I would completely erase the
| phone, upgrade it via DFU, and start fresh. After setting it up
| again, run another backup and rerun the tool to doublecheck.
| That or ditch the phone
| makach wrote:
| This is an expert response.
| SheinhardtWigCo wrote:
| The last three words are.
| newbamboo wrote:
| What's the best procedure for getting data off a compromised
| iPhone before wiping? Plugging it into other devices via usb
| or backing up to iCloud seems sketchy to me but maybe I'm
| overly paranoid.
| cronix wrote:
| > Plugging it into other devices via usb
|
| You've never plugged your phone into your computer before?
| If so, I doubt it could cause more harm to do it again
| unless you haven't done it since your device was infected.
| You're just mentally aware of it now, but how long has it
| been there and how many devices have you plugged your phone
| into since then, even just to charge? If you _never_ plug
| your phone into another device, it 's moot, but I suspect
| most people do at sometime or another. "Hey, can I plug my
| phone in real quick to charge a bit" type stuff. Airdrop is
| good for quick, small files, but I'm not going to be
| transferring multiple gigabytes of 4k video via wifi speeds
| that way.
| newbamboo wrote:
| Thanks. Wasn't sure how airdrop worked so wasn't sure if
| connecting a compromised device that way was a concern.
| Unfortunately there is no info out there because the
| official line is "all apple devices are secure don't
| worry!"
| [deleted]
| SheinhardtWigCo wrote:
| Reach out to Amnesty Tech and/or Citizen Lab for help
| establishing whether this is a real infection or a false
| positive.
|
| If it's real: Adjust your behavior to account for the fact that
| once you know you're a target, there is no device on the market
| and no practical measures you can use to maintain safety.
| Assume everything you do on or near a computer used by you or a
| close contact is being monitored. The level of effort needed to
| maintain strong security in the context of being a target is
| astronomically higher than any individual can deal with.
| NotSammyHagar wrote:
| How about use your phone as only a data modem and do
| everything on a chrome os device, which have no known
| malware. Just don't install chrome extensions and you are
| safe. Also avoid installing apps on your phone
|
| This is basically what I wish I had, except back in reality
| there's no Chrome device that's the size of my cell phone.
| There are some with cellular modems.
| yosito wrote:
| > on a chrome os device
|
| You instantly lost.
| londons_explore wrote:
| Chrome OS is probably the most secure system to use from
| an exploit perspective.
|
| Just never install an Android app on it (that feature
| doesn't have the same guarantees as the rest of the
| system), and preferably use a guest account on it (that's
| how they run it in security competitions)
|
| You basically have to break four layers to exploit that.
| You have to break the web renderer, then out of the
| browser sandbox, then you need to exploit the kernel to
| be able to write outside the (non persistent) guest
| account storage, then you need to exploit the
| firmware/secure boot chain so secure boot doesn't detect
| your modifications to the filesystem when the system next
| boots.
| TechBro8615 wrote:
| No malware except for the google operating system
___________________________________________________________________
(page generated 2021-08-01 23:01 UTC)