[HN Gopher] From Pegasus to Predator - The evolution of commerci...
___________________________________________________________________
From Pegasus to Predator - The evolution of commercial spyware on
iOS [video]
Author : cookiengineer
Score : 363 points
Date : 2024-12-30 03:39 UTC (19 hours ago)
(HTM) web link (media.ccc.de)
(TXT) w3m dump (media.ccc.de)
| hssuser wrote:
| Just finished reading pegasus today. Fascinating how this will
| keep evolving, keep getting worse and we might as well act as if
| we are getting surveilled. Too much incentive to not have
| adversarial actors. Link for the lazy - not an affiliate link -
| https://www.amazon.com/Pegasus-Threatens-Privacy-Dignity-Dem...
| tptacek wrote:
| The fact that you've heard about it --- heck, the fact that
| there's a _book_ about it --- should tip you off to the idea
| that Pegasus is not the SOTA implant. There 's a whole
| marketplace of companies providing these services, both exploit
| chains and implant stacks, and most of then are firms you've
| never heard of before.
| cylemons wrote:
| Dumb question, what is SOTA implant?
| js2 wrote:
| I don't know either but perhaps "state of the art."
| reaperman wrote:
| SOTA = "State of the art"
|
| "Implant" would be like any remotely installable persistent
| exploit that grants access to an attacker over a period of
| time.
|
| Also, I'm pretty luddite when it comes to highly-hyped AI
| stuff, (in spite of my income being heavily tied to
| developing AI models) but I have found ChatGPT to be
| shockingly good at explaining super niche terminology and
| even jokes. So I do recommend people feel comfortable
| turning to that if they ever feel uncomfortable asking
| "dumb" questions publicly.
| throwup238 wrote:
| @simonw made a custom GPT called the dejargonizer just
| for that purpose:
| https://chatgpt.com/g/g-3V1JcLD92-dejargonizer
| pockmarked19 wrote:
| Or you could just Google it. [0]
|
| That's right. People can just Google things.
|
| [0] https://i.imgur.com/1Yx0m1U.png
| cylemons wrote:
| I googled "SOTA implant" and got something totally
| different.
| gambiting wrote:
| Yeah except Google is just so often wrong or pushing
| crappy SEO results that I honestly think it's worthless
| nowadays.
| maeil wrote:
| Bit of a tangent, but..
|
| Google has been going down hill for many years but since
| the December update a few weeks ago it has genuinely
| become atrocious.
|
| In their quest to combat AI slop (good idea), they've
| gone and made domain authority so much more important
| than the content, that now when you search for A B C, you
| get 20 pages from very "authoritive" sites that are about
| A, are slighyly about B and don't even mention C. This is
| despite plenty of great pages about A B C existing and
| serving the content we're looking for - we just never get
| to see them because the places they're hosted on aren't
| "authoritive" enough. Before, you'd get 5 pages, 1 of
| which likely had what you were looking for, and maybe 1-2
| were AI slop. Now zero of them are what you're looking
| for, but at least we no longer have the (generally very
| obvious) slop? Brilliant improvement for the users..
|
| The reason behind this is pretty obvious: most AI slop
| that had been ranking well likely had 0 ad spend,
| meanwhile the "authoritive" sites tend to have high ad
| spend. Ads was seeing numbers go down and unhappy
| customers, and they run the company.
| layer8 wrote:
| Using verbatim search generally improves the results.
| tptacek wrote:
| An "implant" is like a rootkit; it's all the things you do
| with a compromise once your exploit chain pays off, and
| threat actors generally have standardized implant stacks.
|
| "SOTA" is just an abbreviation for "state of the art".
| hammock wrote:
| You make this comment everywhere Pegasus comes up. Half a
| dozen times on one submission.[1] Can you name some of the
| other firms we've never heard of?
|
| [1]https://news.ycombinator.com/item?id=42476828
| tptacek wrote:
| No.
| saagarjha wrote:
| Alright then, keep your secrets.
| daneel_w wrote:
| So it's either because you, too, have never heard of
| them, or because you're obliged not to. Which one is it?
| Are you making an educated guess about their presence?
| saagarjha wrote:
| No he knows what they are he's just being annoying
| daneel_w wrote:
| My questions were rhetorical ;) I've commented on his
| "patterns" previously, in particular whenever Signal's
| lack of anonymity is the topic. Apparently it's an
| offense so one must watch the way they phrase their
| responses to such statements.
| tptacek wrote:
| I have no idea how to parse this, but if you thought I
| was going to give you a list of all the CNE vendors I'm
| aware of on an HN thread, obviously, no. Why would you
| care anyways? I know enough to know that I'm speaking
| factually about the state of the market, but I don't work
| in it or interact with it in any meaningful way, so you
| could just as easily say "if you know about that vendor,
| that means they're not a SOTA CNE vendor either". You
| might be right!
|
| On this leg of the thread, we're considering basically
| one issue: is NSO Group one of the {only,most}
| {important,impactful,sophisticated,whatever} CNE vendors.
| Is someone seriously arguing that's the case? I'd assume
| the idea that there are lots of vendors more impactful
| would be pretty banal, but maybe there really are people
| on this thread whose understanding of CNE comes entirely
| from that book linked upthread?
| hammock wrote:
| What is the purpose of your original comment? Do you
| disagree with one of the parent's assertions that (this
| will keep evolving) (keep getting worse) (we might as
| well act as if we are getting surveilled) (Too much
| incentive to not have adversarial actors)? It doesn't
| seem as if you do, yet some would interpret your tone as
| argumentative, or unsubstantiated alarmism
| tptacek wrote:
| I would sum my original comment up as "NSO doesn't
| matter". It's an interesting CCC talk. It's worth digging
| into what NSO implants do. There's not much bigger-
| picture stuff to pull out of it.
|
| By all means, sue them, sanction them, proscribe them,
| whatever it is you want to do to make NSO less
| profitable, I'm fine with it. But don't pretend that's
| solving the broad social problem of CNE operations.
| Everybody does it, and most people don't need NSO to do
| it; they have other, better vendors to work with.
| talldayo wrote:
| It is because their presence in these threads is to
| detract from Israeli responsibility for their flagrant
| and organized disrespect of international law. Their
| comment was the _second_ thing submit to this post and
| the absolute first comment responding to anyone in the
| thread. The inciting factor was NSO group, which
| ordinarily doesn 't trigger many comments defending them
| since they are a digital arms dealer and scourge upon the
| first world.
|
| If they cited their sources, used dialectic reasoning and
| engaged with people that wanted their position expanded,
| then I would have no reason to jump to ideological
| conclusions. Unfortunately it seems very clear between
| both their comment history and posts in this thread that
| they have little technical interest in the discussion. At
| this rate we might as well put quotes around "Hacker" and
| take the News portion to people that can stomach it.
| vincnetas wrote:
| how do you know that? Or are you using any tools for this
| insight?
| darknavi wrote:
| Fascinating video with terrible audio for some reason. It made it
| hard to watch the video. It fixes its self a few minutes in at
| least.
| Syonyk wrote:
| Sounds fine to me... ? It's not a native English speaker, but
| the audio seems entirely standard for conference audio.
| darknavi wrote:
| For me (English audio) the first ~13 minutes clips pretty
| hard.
| nyclounge wrote:
| Likewise here. Even tried the audio only link. It is also
| choppy, can the organizer upload a better version? It is
| quite difficult the hear what he is saying sometimes.
| can16358p wrote:
| Yup, the audio was so bad that it started to hurt my ears and
| had to stop. Would love to watch/listen to a version with fixed
| audio though!
| cbg0 wrote:
| Here's a somewhat cleaned-up version of the first 25 minutes
| (used Adobe Podcasts):
|
| https://pub-e2fd917248b04c518e963d141d588b4c.r2.dev/outputfi...
| IYasha wrote:
| Yeah, it's not the first time they have sound problems. Really
| frustrating, especially for non-native speakers.
|
| I was going to blame wireless mics, but they seem to be
| fixed?..
| IYasha wrote:
| Fortunately, they are aware of the problem and made an
| announcement:
|
| >> We are aware of audio issues, especially during talks of day
| 1 (2024-12-27). Some talks have been released in a preview-
| version, but are still being worked on behind the scenes.
| sneak wrote:
| If you are a presenter, please please please please stop it with
| the "put up slide, read bullet points off the slide, repeat"
| format. It's excruciating.
| lnsru wrote:
| That's probably how 80% of presentations I attended last couple
| years were presented. Open slide, read sentences written there,
| go to next slide. Not nice.
| seanhunter wrote:
| There's an excellent essay about how Powerpoint encourages this
| style and how bad it is for everyone by Edward Tufte called
| "The Cognative Style of Powerpoint"
| https://www.inf.ed.ac.uk/teaching/courses/pi/2016_2017/phil/...
| layer8 wrote:
| You generally need to practice a talk a lot to be able to free
| yourself from the slides, especially if you don't often do
| talks. For a one-off talk it's not always realistic.
| Syonyk wrote:
| If you use iOS: Turn on Lockdown mode. All your devices. Don't
| look back. Grant exemptions for individual, known/trusted
| websites/apps if needed to regain functionality that's critical.
| Even if you have to whitelist a few websites or apps, it's better
| than having all the interfaces exposed to all the things.
|
| You eliminate a _ton_ of "complicated, probably exploitable
| things" in spaces known to be commonly exploited. Oddball image
| formats, the Javascript JIT engine, "complex" messaging
| (Facetime, MeMojis, that... entire ecosystem of weird-not-text-
| not-image stuff that Apple does), WebGL, WebRTC, link preview
| processing (I expect a common 0-click exploit chain is through
| that system), and probably some other stuff.
|
| The phone/tablet is entirely usable without this stuff. Some
| websites don't render images properly, "that one guy's website"
| doesn't do the animations, but you can individually bypass
| Lockdown mode for sites, apps, etc - and you still get the
| protections for everything else.
|
| And if you're a web developer or app developer, _please._ Test
| your website on an iOS device with Lockdown mode enabled. Pick
| image formats that render properly, it 's not hard. And if your
| app requires something that isn't supported in Lockdown mode,
| that's fine - but _please_ show some sort of useful error message
| that indicates that, perhaps, this crash /glitch/whatever is the
| result of Lockdown mode, and you can disable it by following
| these steps. Then, also, don't sell to some random purchaser of
| apps.
|
| But Lockdown mode really, _really_ helps reduce the attack
| surface. Try it. You 'll like it! And it might just help prevent
| getting you popped by this sort of crap.
|
| ... then install QubesOS on your full computers and don't look
| back. ;)
| captn3m0 wrote:
| Even large mainstream app developers are not testing against
| Lockdown mode. Amazon's app doesn't load Customer support chat
| with it enabled for example.
|
| Also, is JIT disabled for alternative browser engines in EU?
| saagarjha wrote:
| I don't actually think there is official API to check if the
| device is in Lockdown Mode. But to be clear this is an
| academic curiosity for now as nobody is actually shipping an
| alternative browser engine in the EU that is being targeted
| by a sophisticated attack.
| jeroenhd wrote:
| Nobody has released an alternative browser engine yet,
| because of the way the app store works (you'd need specific
| apps you can only install in the EU next to the worldwide
| version for instance). I'm sure it'll happen eventually, but
| it doesn't seem to be a priority for browser makers just yet.
| nxobject wrote:
| Thanks for the reminder! However, I'm a little pessimistic
| about whether Apple will keep Lockdown Mode maintained and
| updated - I only remember this popping up after Pegasus and
| Apple sending out waves of notifications to exploited users,
| and both seemed to be just a one time effort.
| saagarjha wrote:
| Apple continues to send out exploit notifications and
| Lockdown Mode continues to grow to include more attack
| surface. It seems to be actively maintained, as opposed to a
| lot of other things that Apple has tried.
| nxobject wrote:
| I'm actually glad to hear that! I guess my underlying
| concern is that not knowing the full breadth of modern iOS'
| attack surface might make me complacent when evaluating
| whether there are any risks that Lockdown doesn't cover,
| and that being constantly notified on updates might
| somewhat alleviate that.
| DrWhax wrote:
| Apple has maintained lockdown mode and sent out regular
| notifications. It's just not announced publicly.
| joejoesvk wrote:
| why would a regular user opt in for such a downgrade?
| Retr0id wrote:
| They won't, and they're not expected nor advised to.
| aberoham wrote:
| AVIF images being automatically disabled by default in Lockdown
| Mode is painful. That and various automatic family sharing
| things (such as shared photos or children app install requests)
| no longer working has made Lockdown a deal breaker in some
| cases where the user doesn't appreciate the threat.
| daneel_w wrote:
| Do you happen to have a full list of what media formats are
| still working in Messages when in lockdown mode? Does
| HEIC/HEIF work? (Pardon the question but I just don't have a
| second iOS device available for testing this myself.)
| jeroenhd wrote:
| I don't use iOS often but I find lockdown mode to interfere
| very little with apps when I've tried it. Seems like a "don't
| get hacked" toggle that companies and people doing any kind or
| public researchs should just turn on for their phones.
|
| However, I don't have access to Safari on a dev machine and
| until Apple fixes that, I'm not testing websites on iOS. Sorry
| not sorry, but even Microsoft Edge is cross platform these
| days, if Apple wants independent websites to support their
| browser (especially their own restricted browser profiles) they
| need to stop making it exclusive to their hardware.
|
| Seems like a good idea to test against if you're already doing
| Safari testing but I'm not sure if automated tooling supports
| the toggle.
| saagarjha wrote:
| You can run WebKit on Linux if you want
| realusername wrote:
| Safari mobile has different bugs than WebKit. And even
| different bugs than desktop Safari itself.
|
| As a web developer, I'm also not bothering to test anything
| on iOS, it's just so much pain that it's not worth it. You
| need to buy a dedicated device with a specific iOS version
| and never update it (since you can't even change the
| browser version on iOS) and as for the debugging tools,
| they suck so much that I had to resort to Firebug.js a few
| times in the past.
|
| Yeah no thanks, I just test on Android and hope it's good
| enough on iOS.
| szundi wrote:
| What would your clients react after reading this?
| realusername wrote:
| Not sure, most end users aren't really aware on how it
| works on their mobile and it's not like Apple will
| advertise it either.
|
| Personally I can't really do much about the sad state of
| the web on iOS myself anyways, I'm not a regulator. The
| problem goes beyond just the tech side.
| jeroenhd wrote:
| I do occasionally, but it didn't take me long to find
| differences in behaviour and support between Linux and iOS.
| Entire APIs are left unimplemented on the Linux side and
| things that work on Linux break on mobile for some reason.
| Codecs (for image, video, and audio) seem to vary wildly
| between platforms too.
|
| I'm sure Apple could take Gnome Web and turn it into a
| cross-platform Safari browser if they wanted to, but so far
| they haven't (and probably don't want to).
| szundi wrote:
| Generally Apple introduces features they think people want to
| use. So enabling anything that takes away networked features
| will hurt the user experience in practice. So... people won't
| do that.
|
| I would rather be interested in ways to detect these software
| phoning home on my home wifi with my firewall - for now. I
| might change this stance any moment in the future heh.
| nwellinghoff wrote:
| Why are more people not saying this? At the end of the day
| malware is only useful if it can send information out. So its
| by nature, totally detectable.
| fragmede wrote:
| Ransomware, a type of malware, just needs to encrypt your
| files so you can't access it, no network access required.
| totally detectable after the fact, but by that time it's
| too late.
| dagmx wrote:
| How would you inspect mobile data when not on your own
| wifi?
|
| How would you inspect it if it was piggybacking of a
| trusted but compromised endpoint? What if the data
| exfiltration doesn't use a networking protocol you can
| monitor at all, like Bluetooth beacon transmitting?
|
| The answer to almost any "why are people not saying this"
| is because it's usually not that simple.
| nwellinghoff wrote:
| 1) Software defined radio. You basically hook up a IMSI
| backed by a internet connection.
|
| 2) That is a good example. Much harder to execute. I
| would argue in that case that everything is totally
| compromised. But if the hardware vendors provided a low
| level interface where one could read and write firmware
| etc. directly. One could do simple binary comparison
| analysis.
|
| The point still stands. Figuring out what malware is
| doing is hard. Detecting that there is something in your
| system that wasn't there before shouldn't be hard. If the
| hardware vendors wanted to provide low level mechanisms
| to make the process easier. Its totally in the realm of
| the possible.
|
| E.g. the main responder to this thread makes it seem like
| a impossible task even for dedicated security defense
| groups. But with just two mechanisms 1) network analysis
| 2) low level ability to read and write
| firmware/persistent storage. Its totally possible and
| straightforward.
| dagmx wrote:
| And you're suggesting that these are things a normal
| person can setup themselves and regularly use?
| pxmpxm wrote:
| > might just help prevent getting you popped by this sort of
| crap
|
| The ratio of people that actually need this mode to people
| publicly advocating for it approaches zero very quickly. I'm
| quite sure no state actor will spend $7 figure 0days to get my
| cat photos.
| Syonyk wrote:
| My concern isn't so much the high cost super-secret 0-days,
| as the "about to be useless" 0-days (1-days?) that have just
| been patched, but the patches are still rolling out to
| people.
|
| Also, for _most_ people, it 's not the cat photos on their
| phone that are of value. It's the banking credentials,
| business login 2FA keys, crypto 2FA, email (which allows, for
| almost all accounts, a password reset), etc.
| nxobject wrote:
| I agree with that: sadly, the most pressing security risk
| to any consumer isn't on my devices, but online services
| being breached (or disclosing) private information
| including passwords! Over the last years I've gotten data
| breach notifications from Equifax, AT&T, Ticketmaster, and
| United Healthcare (via Change.) I think the average
| informed tech user will benefit more from training (and
| reminders!) to keep your online information private than,
| say, telling them to avoid previewing complex file formats.
| amatecha wrote:
| The last time I was looking at the documentation page for
| lockdown mode all I could think was "this is how the phones
| should be by default"
| saagarjha wrote:
| This is a good overview of the public commercial spyware
| landscape on iOS over the years, including attributions to
| several of the high profile players in this space. Unfortunately,
| the rest of the talk is a little depressing. You'll note that I
| have been using words like "public" and "high profile". Despite
| these cases coming to light, the actual market is far broader
| than what was discussed here. Some of the exploits presented were
| not able to be conclusively tied to a specific entity or
| operator. Many attacks go entirely undetected.
|
| The efforts in this space by defensive organizations are
| laudable, but very, very immature. There's this meme that has
| crossed over into the software space of the planes the come back
| with a lot of holes in them, indicating the regions where extra
| armor plating is actually the least important. The commercial
| spyware industry is a lot like that. Those stories you see of
| people finding exploits via crash logs and iOS databases? That's
| the lowest hanging fruit. People who know what they are doing are
| not leaving traces there. And pretty soon those who don't will
| stop dropping things there too. It's really, really important to
| understand that the detections well that these people are sipping
| from will dry up very soon. The proposed solutions from the talk
| are not nearly enough to help. Some of the things they're asking
| for (process lists, for example) are _already_ exposed, but we
| 're currently in the Stone Age of iPhone forensics on the
| defensive side. Those on offense, who are incentivized by money
| but also now by necessity, will far outstrip any attempts to
| catch them after-the-fact :(
| ignoramous wrote:
| Thanks.
|
| > _...we 're currently in the Stone Age of iPhone forensics on
| the defensive side._
|
| Since I've seen your comments show a pretty good understanding
| of AOSP/Android, what's your take on its posture against CSVs?
| Especially given that Google has been pursuing both legal [0] &
| technical defenses (at every level of the software stack)
| against them quite actively.
|
| [0] Ex: https://www.centerforcybersecuritypolicy.org/hacking-
| policy-...
| pxeger1 wrote:
| What does CSV mean?
| saagarjha wrote:
| Commercial Spyware Vendor
| technol0gic wrote:
| Comma Separated Values...theyre hyperspamming it with
| spreadsheets
| saagarjha wrote:
| I don't know much about the legal stuff you linked but I am
| generally supportive of most of the things Google is doing to
| harden Android against CSVs. If you have specific mitigations
| or policies you were thinking of I can tell you what I think
| of those (not all of them are necessarily positive) but on
| the whole the OS has been getting more difficult to hack and
| I view this as a good thing.
| faramarz wrote:
| That's an interesting comment.
|
| I have a sidebar question for you: what phone do you use if you
| are comfortable sharing.
|
| I'm wondering if you are bias towards the walled garden of
| apple with its perceived security or android or some other.
| jimmySixDOF wrote:
| the suggestion is whatever you do use it should involve a
| presumption of compromise as the default posture
| saagarjha wrote:
| I don't think this is a useful model to have, because it's
| too simple and not actionable. Who is compromising you?
| What is their cost to doing so? What level of compromise
| can they achieve? If you just go "you are always hacked"
| what is your suggestion? That I never touch a computer ever
| again?
| dmbche wrote:
| That you treat the computer as compromised.
|
| You need to calculate something? Great, do that.
|
| You need to encrypt files, and keep them on your device
| which is connected to the internet, and want to trust
| that you are the only person that can access them? Think
| twice. Can be considered trivial for many attackers to
| have full access to your device, and assume ring 0
| access. They could realistically record all keypresses
| and your screen, no need to decrypt anything.
|
| Need to hide things from state actors? Never touch a
| computer again and go live in a cave somewhere until they
| find you.
| SirHumphrey wrote:
| > Need to hide things from state actors? Never touch a
| computer again and go live in a cave somewhere until they
| find you.
|
| I always found this kind of thinking to be a bit
| unhelpful. Because what is an alternative? Paper? Hope
| you don't live in jurisdiction of the country because
| search warrant is not a difficult thing to get and even
| an illegal search is not that hard (even outside of the
| country).
|
| As with everything - people in IT and IT security vastly
| underestimate the security of IT infrastructure while
| overestimating the security of non-IT infrastructure. IMO
| the use of computers makes you much more vulnerable to
| broad "we monitor the members public for signs of
| terrorism" kind of spying, rather than specific targeted
| state actor attacks - as was shown recently with the
| whole pager fiasco - there are many others non IT
| vulnerabilities around.
| dmbche wrote:
| It might have not been that clear, but the "until they
| find you" in my original comment is worded that way
| because it's a question of time rather than probability -
| they're gonna get you. You can try to make it harder
| (going in a cave, not touching computers) but,
| realistically, you're getting caught - if not through IT,
| through things like the pager attack.
|
| Most people are not worried about state actors having an
| interest in them, my comment was aiming to clarify that
| as well.
| impossiblefork wrote:
| It is actionable. It means you don't use the phone for
| anything important-- effectively, that you accept that it
| is useless and that you should use other means of
| communication.
| saagarjha wrote:
| I use an iPhone, but that's really more because of personal
| preference than any particular security posture. I'm not a
| particularly attractive target for commercial spyware: I'm a
| guy who likes to post things on the internet, rather than
| someone with genuine value. I don't interact with and am not
| in the business of handling exploits. There's not really any
| reason why you'd want to pick through the details of my
| private life or silence me. It would be pretty dumb to target
| me with an exploit, especially considering that I would be
| more likely than most to find it and burn it. If you have
| that kind of money to waste, I can think of a lot better ways
| to spend it than getting my chat messages.
|
| From your question I am guessing that this is a disappointing
| answer, since you probably wanted me to point to a specific
| phone and an explanation of why I think it is better. But any
| honest security professional is incapable of giving you a
| simple answer. I have a beat-up iPhone 13 mini because I like
| small phones and Apple is unlikely to make a new one soon. I
| have Lockdown Mode off because it would make my life more
| annoying than it needs to be. My threat model does not
| include sophisticated attackers that would be thwarted by
| security mitigations present in a new device or paranoid
| software. Should it be in yours? Well, I can try to help you
| answer that question. But for these attacks the problem is
| that 99.99% of people will never be targeted by them. But
| it's not very easy to tell if you're part of the 0.01% (these
| are made up numbers, btw). There are a lot of things you can
| do that can make you more or less attractive-for example, if
| you're a journalist, or a political activist, you might be
| more concerned. But what if your cousin you're close to is
| actually a VP at Google? More difficult to say. If you
| connect all the dots you can build all sorts of models where
| you should turn this on, regardless of who you are. But the
| fact is that security is not free and they almost always come
| with some sort of tradeoff against usability or cost. You
| could be mowed down on the street by an assassin tomorrow but
| that is generally a bad reason to never leave your house or
| walk everywhere in a kevlar vest.
|
| My general advice for people, taking into account
| practicality and ease of implementation, is to go with a
| fairly modern phone of their pick that gets regular security
| updates, so they're not the subject of much lower-cost
| attacks that reuse patched vulnerabilities. I know a lot of
| the people who work on security at Apple and they're smart
| people who really care about making things that are good.
| Whether the walled garden accounts for that, or even if I
| think they always make the right choices...well, I have
| Opinions on that but that's for another day. They certainly
| make mistakes, but they also do good work. If you look at
| Android you'll see similar, with it pulling ahead in some
| areas and being behind in others. I've done a lot of research
| on Apple's security story and worked on Android's but I can
| only really rank them on specific facets rather than as a
| whole. Really I would say, pick up an iPhone or Pixel, be
| careful about things that are far more likely to hurt you
| (like, say, phishing), and otherwise just keep a pulse on
| this area if it interests you. Otherwise I think you have
| more than enough in your life to worry about.
| newuser2022 wrote:
| Considering security updates, do you think iOS has
| advantage in speed? Apple's usually to roll out security
| updates to all supported iPhones --often for five or six
| years-- nearly instantly, including critical zero-day
| fixes, which can be deployed overnight. In comparison,
| while Pixel devices get immediate updates(but it's only
| available in a handful of countries), Android devices from
| other manufacturers depend on their update schedules, which
| can be slow and inconsistent and often ends after about
| three or four years. Even with top players like Samsung,
| there are week delays, especially for non-flagship or older
| models. In your view, does the pace and longevity of
| Apple's security updates tip the balance in their favor, or
| am I just being biased?
| saagarjha wrote:
| Yes, absolutely (though Apple does not actually ship
| anything overnight). In fact when I worked on Android one
| of the frustrations I ran into was the slow pace to roll
| out security improvements. While Pixel phones get fixes
| quickly enough the majority of the world is not actually
| on Pixel devices, so if you want to ship changes you need
| to get OEMs on board, and then also have users on devices
| that are still being supported. A lot of the people we
| covered would simply not get any improvements until they
| _literally bought a new device_ , in areas of the world
| with some of the longest lifecycles for those devices.
| prirun wrote:
| I switched from Android to iOS because Google forced
| updates to my phone somehow, even though I had internet
| access disabled. I only used it as a phone: no email, web
| browsing, etc. My phone (Blu R2) was a few years old, and
| after the update, all kinds of stuff was broken. For
| example, zooming a picture would cause the messaging app
| to crash. So once that update was installed, I had to
| enable updates continuously to try to get back to a
| working phone. But instead, things just kept getting
| worse. I gave up and bought an iPhone XR on eBay for half
| retail price.
|
| Most HN folks think diversity is a good thing, and I'm
| not saying it isn't, but it does have its disadvantages.
| In my case, I could probably buy new Android phones at
| least 3x more often than iPhones based on cost, but a lot
| of people (me) don't want to be fiddling with new phones
| every year or 2. It was apparent to me that Android
| updates are not tested thoroughly on older phones. I
| understand that would be hard because there is a huge
| variety of hardware, but it's a significant downside of
| Android IMO.
| cookiengineer wrote:
| I am currently trying to combine my EDR agent that I wrote over
| the last 2 years for POSIX systems in Go + eBPF and the
| Hypathia project [1] which actually was very promising but is
| now inactive because the author gave up.
|
| So far the approach still seems promising, but I would need
| more devs to help me as I'm contributing in my free time and I
| won't accept funding for my cyber security related projects,
| ever.
|
| Would be nice if some other folks feel the same way as you and
| we can revive the Hypathia project to be better in the sense of
| eBPF process analysis, in-memory modification detection, and
| network analysis via XDP.
|
| [1] https://github.com/Divested-Mobile/Hypatia
| saagarjha wrote:
| I don't have the time, sorry. Too much on my plate! But I
| (and I apologize in advance for this) can tell you that one
| of the reasons why I would not have that much time for this
| is that I don't think it is fundamentally interesting in the
| face of a sophisticated adversary. Scanning files and memory
| or whatever is largely irrelevant in the age of exploits that
| completely compromise the device, all the way to a privilege
| level higher than where the actual scanner operates.
| Signatures fall apart if it is very cheap to evade them (and
| it is, with trivial modifications to payloads). Typical
| approaches to catching malware do not apply to zero-day
| attacks. They may sometimes work but my point in the comment
| above was to point out that this is just luck rather than a
| sustainable practice. Someone who knows you are looking for
| them can hide and lie far harder than you can possibly
| imagine. And if they've broken the system, they can use those
| very protections that were supposed to keep them out to
| prevent you from going after them. Kind of like how a castle
| is designed to prevent people from storming it, up until they
| actually sneak in and all those defensive measures stop you
| from retaking it ;)
| cookiengineer wrote:
| But the issues you're describing are literally where the
| eBPF kernel module chimes in and what the process analysis
| is about, no?
|
| You can detect a lot of malicious behaviour this way, where
| programs and processes deviate from their usual behaviour;
| e.g. trying to access files they're not supposed to.
| saagarjha wrote:
| Someone with a kernel-level exploit can completely neuter
| your eBPF detection. They can make it never return data,
| or return bogus/benign data. You can try to catch them in
| that lie, but it's really hard, and even if you do they
| can just stop your process from being able to report on
| it. Again, a real-life analogy might help: it is really,
| really hard to protect yourself against a criminal who
| has the cops on their side. You're definitely not going
| to be allowed to go into the crime scene yourself, so you
| have to trust what they're telling you. All your
| complaints are going through them. If a dirty cop doesn't
| like you your life can get a whole lot worse!
| cookiengineer wrote:
| The point of eBPF is that eBPF receives and processes
| data _before_ the kernel does.
| stefan_ wrote:
| Thats just not true? Your eBPF programs run in a VM in
| the kernel, occasionally JITed, but of course the kernel
| is free to feed them whatever data it wants.
| cookiengineer wrote:
| Where does your hypothesis come from? Any architecture
| chart will point out that XDP will be processed before
| all other network modules. If XDP is not offloaded, the
| driver will always process the XDP hooks before the rest
| of the network stack is called.
|
| In your assumed concept, how else would offloading to a
| NIC that does not run a kernel work?
| h4ck_th3_pl4n3t wrote:
| I think there is a misunderstanding of the two
| perspectives.
|
| Grandparent's assumption is that the kernel is
| compromised.
|
| Your assumption is that you can detect malicious
| behaviour before it happens (and before the kernel is
| compromised).
| tptacek wrote:
| XDP receives packets before the network stack does, but
| not before the kernel; in almost all cases, it's just a
| hook to process packets off the DMA buffer. None of this
| matters; the kernel controls XDP; not only that, but
| there's nothing an XDP program can do without
| rendezvousing back through the kernel.
| saagarjha wrote:
| That's not really the case. The kernel-much like a police
| force-is not a monolithic entity, there are various parts
| of the kernel that get information before others. eBPF
| does let you "hook" various parts of the kernel, so that
| you can get an "exec" event from before the exec actually
| happens (you can't stop it, though, so even this is
| somewhat dubious). But someone in the kernel can
| intercept the hook itself, or uninstall it completely. In
| the police analogy even if you have a friend in the force
| that you know is good, _they are still part of the
| police_. Even if the first thing they do when they get
| information is share it with you, there 's no guarantee
| the dirty cop isn't sitting in the mail room ready to
| shred things before they get it.
| momento wrote:
| The "meme" you refer to is simply survivorship bias:
| https://en.wikipedia.org/wiki/Survivorship_bias
| saagarjha wrote:
| Yep. The plane image itself (in the article) is a common meme
| though
| sylware wrote:
| I can see kiddies in my logs, but the real ones, they are
| already here and watching.
|
| Nowadays, presuming anything else is unreasonable, unless you
| want to scam somebody into buying a 'security product'.
| saagarjha wrote:
| I don't actually think this is true; I just think that
| waiting for nation-states to show up in your logs is the
| wrong way to go about it.
| sylware wrote:
| There is no 'security product': you must engage in the
| permanent tracking of security flaw and intrusion: do
| heavily trap your kernel/applications, do man-in-the-middle
| traffic analysis between known traffic and unknown traffic,
| do not trust off-the-self crypto, etc.
|
| But the basics are not even here: you should not use any
| compiler, all critical pieces of software should be
| assembly written with very lean SDK (aka extremely stable
| machine code), namely without the abuse of macro-
| preprocessor.
|
| Everything else is just posture.
| saagarjha wrote:
| I strongly disagree with this assessment
| Hilift wrote:
| What you describe is the artifact of an ecosystem where the
| consumer is a second class citizen. These exploits don't work
| on a desktop or notebook precisely due to that ecosystem is
| obtuse and pretty much the opposite of an extensible platform.
| saagarjha wrote:
| These exploits work perfectly well on those platforms. The
| reason you hear about people targeting them less is that they
| are easier to target with less sophisticated attacks and also
| not as valuable to attackers. In the cases they are your
| Android "root" exploit becomes a Linux LPE super fast.
| jacooper wrote:
| I think the difference is desktop systems are way more
| transparent about what's going on in the OS compared mobile
| OS's which behave closer to a blackbox.
| dagmx wrote:
| Are you seriously saying there aren't exploits on non mobile
| platforms?
|
| The platforms that have famously had many significant
| exploits over the years, and are the cause of many major data
| exfiltration operations?
|
| Are you pretending that viruses and worms don't exist? Why
| does forwarding through we have things like windows defender
| or anti viruses then?
| meisel wrote:
| Do you expect that Apple's bigger security initiatives, like
| pointer authentication and writing the OS in a memory safe
| language, will improve the situation?
| tptacek wrote:
| All these things increase attacker costs. In the current
| landscape, increasing attacker costs has the effect of
| shaking out some of the lower-rent players in the market,
| which may put some targets out of reach of lower-caliber
| threat actors.
|
| The problem you have over the medium term is that CNE is
| incredibly cost-effective, so much so that you need something
| like multiple-order-of-magnitude cost increases to materially
| change how often it's applied. The alternative to CNE is
| human intelligence; it competes with literal truck rolls. You
| can make exploits cost 10x as much and you're not even
| scraping the costs just in employee benefits for an alternate
| intelligence program.
|
| What that means is, unless you can foreclose on exploitation
| altogether, it's unlikely that you're going to disrupt the
| CNE supply chain for high-caliber state-level threat actors.
| Today, SOTA CNE stacks are probably available to the top
| IC/security agencies+ of all of the top 100 GNP countries. It
| probably makes sense to think about countermeasures in terms
| of changing that to, like, the top 75 or 50 or something.
|
| I think we tend to overestimate how expensive it is for
| adversarial vendors to keep up with countermeasures. It's
| difficult at first, but everything is difficult at first; I
| vividly remember 20-30 extraordinarily smart people
| struggling back in 1995 to get a proof-of-concept x86 stack
| overflow working, and when I first saw a sneak preview of ROP
| exploitation I didn't really even believe it was plausible.
| As a general rule of thumb I think that by the time you've
| heard about an exploitation technique, it's broadly
| integrated into the toolchains of most CNE vendors.
|
| Further, remember that the exploit development techniques and
| people you've heard about are just the tip of the iceberg;
| you're mostly just hearing about work done by people who
| speak fluent English.
|
| + _Reminder that customers for CNE vendors usually include
| many different agencies, invoiced separately, in the same
| governments._
| mu53 wrote:
| People really underestimate the damage these tools are doing to
| society.
|
| Who can afford these tools? What lengths have people gone to
| earn/keep large sums of money? What problems are society going
| through right now?
|
| Its just stealing your data, which doesn't seem bad. But now,
| someone who probably doesn't like you has your location, habits,
| friends, future events. There are so many things that these
| people can do to interrupt the lives of journalists, activists,
| and just regular people with stalkers, and all of those things
| are covert because "How is your ex-girlfriend's friend supposed
| to know you made a bumble profile 2 days ago, find it, and match
| with you?"
| alecco wrote:
| > People really underestimate the damage these tools are doing
| to society.
|
| Even when heads of state are being extorted. Morocco used it
| against France and Spain. It fizzled out of the news cycle and
| nothing happened. And those countries later announced multi-
| billion Euro investments in Morocco. If anything, this is a
| signal hiring Pegasus is very profitable and they can do
| whatever they want.
|
| https://en.wikipedia.org/wiki/Pegasus_(spyware)#By_country
| tptacek wrote:
| Who can afford these tools? The IC and security agencies of
| every country in the world with a GNI greater than, say,
| Bahrain+. So: probably like 300-500 different global threat
| actors (countries like the US have dozens of capable agencies;
| I assume Bahrain has 1-2).
|
| + _I picked Bahrain because they 're the smallest country we
| know for a fact has been a customer of multiple CNE vendors,
| but that probably means Bahrain plus the next 20-30 countries
| down the list._
| r9295 wrote:
| An idea I that I considered implementing was to instrument parser
| libraries (png/pdf etc) with address sanitizer (for
| iMessage/Chrome/Webkit) and run the instrumented version for 5%
| of all parsing operations. If we get enough people to use this,
| exploits may be easier to discover?
| saagarjha wrote:
| Google and Apple already do this to some extent:
| https://arxiv.org/html/2311.09394v2/#S5
| amelius wrote:
| Question: my colleague has a Mac with a Timemachine and thinks he
| is safe for ransomware. Is that, in a practical sense, true?
| jaktet wrote:
| I don't know about timemachine but I have some anecdotal
| experience with Dropbox and ransomware. Essentially one
| person's computer was infected which encrypted all the files
| for everyone in Dropbox. Because Dropbox had versioning on the
| files I was able to restore all the files back to the point
| before they were encrypted after removing and wiping the
| infected machines.
|
| So if timemachine has versioning then maybe then you probably
| have some options, I'm not sure I'd call this being "safe" from
| ransomware.
| monai wrote:
| Absolutely not. Time Machine is just a SAMBA share with a nice
| UI on the client side. If the backup directory gets encrypted,
| all the versions of your files will also be encrypted.
| amelius wrote:
| There is a different opinion here:
|
| https://discussions.apple.com/thread/8282686
|
| Not sure what to make of it.
|
| Is it possible to reach the server side of the Time Machine
| from the Mac itself? Has such a breach been demonstrated?
| kstrauser wrote:
| My Time Machine server doesn't run an Apple OS. Someone
| would have to compromise my laptop and then pivot to
| separately attack my NAS. A state level actor could
| probably do that. The people running spray-and-pray
| ransomware ops almost surely couldn't, or at least wouldn't
| bother.
| amelius wrote:
| Afaik, my colleague has a setup with regular Apple
| hardware and software.
| daghamm wrote:
| According to Darknet Diaries there are gangs that focus
| on backup server first, because with backups in place
| ransomware is not as effective. There are examples of
| backup software companies being compromised to get to
| their clients.
|
| This is for attacks against bug companies. But maybe it's
| just a matter of time before "ordinary" ransomware is
| updated with destroy-backups function.
| VagabundoP wrote:
| The only way this is going to change would be state/megastate
| level action.
|
| Make selling/using these attacks against government or other
| users a terrorist level event. Go after the heads of NSO and
| their like.
|
| I'd say at that point the companies would be absorbed into the
| national intelligence infrastructure of the host county and cease
| to be independent entities who can be bought for the highest
| bidder. And I know NSO is basically like that now, but
|
| I'd love to see some criminal sanctions for things that their
| software has been used for stick.
| max_ wrote:
| These goons that deal in the spy ware market are actually under
| the auspices of state.
|
| The state is rotten to the core.
|
| I don't even blame them. The real problem is the lack of
| philosophy and ethical standards in the tech industry.
|
| Computer Technology is so shallow. Apple for example talks
| about being a proponent of privacy and at the same time the M1
| Computers have built-in terrible spyware that cannot be removed
| (Apple made sure of this).
|
| Every time I talk about this I am labelled as paranoid or
| sometimes "stupid". Alot of people simply rationalize this
| built in spying as "good".
|
| The bitter truth is that we made our bed. Now we have to sleep
| in it.
| Infernal wrote:
| "M1 Computers have built-in terrible spyware that cannot be
| removed (Apple made sure of this)."
|
| Can you say more about this?
| max_ wrote:
| https://sneak.berlin/20201112/your-computer-isnt-yours/
| pxmpxm wrote:
| Is there a non-schizophrenic version of this article?
| Nearly impossible to read.
| talldayo wrote:
| It's hardly schizophrenic, unless you're suffering from
| the cognitive dissonance of assuming Apple cares about
| privacy.
|
| But sure, here's a version written by a well-known Apple
| toady explaining in-detail why this is bad and criticism
| is warranted: https://eclecticlight.co/2021/08/12/is-
| apple-keeping-its-pro...
| mcculley wrote:
| What makes Howard Oakley a "toady"?
| talldayo wrote:
| What makes Sneak a "schizophrenic"?
| mcculley wrote:
| I did not claim anything about sneak. I think pxmpxm was
| trying to say something about the typography or layout of
| sneak's article, not something about sneak.
|
| Does Oakley writing about Apple products make him an
| "Apple toady" in your opinion? Or is there something he
| has written that is apologetic of Apple's behavior? I am
| asking a genuine question here. If you have no serious
| answer, that is understandable. I may have misinterpreted
| your words to be serious.
| TheJoeMan wrote:
| Perhaps it's time to establish an actual Professional
| Engineer board for "software engineers". This could start
| with the most safety critical systems, embedded life support
| code, etc. You then get the other engineering codes/standards
| to require board-certified programmers for these "critical"
| systems, and that drives the wedge of larger companies being
| "forced" to hire engineers who are bound to an ethical
| discipline. They then would have grounds to stand on for
| pushing back on shady systems.
| tptacek wrote:
| And this is going to do exactly what to suppress CNE
| vendors? You don't even know who they are, and many of them
| operate entirely in jurisdictions that won't care even a
| tiny bit about professional licensure.
| tptacek wrote:
| Virtually every state in the world is a customer of a firm that
| sells exploit chains and implant stacks, so, no, this isn't
| going to happen.
| VagabundoP wrote:
| Yeah we're not going to stop the state level intelligence
| services from using these. I'm more concerned about locking
| out and crimilising the non-state actors and holding the
| companies libel for their actions.
|
| I think there could be some movement here, but there is
| certainly a level of protection that national governments are
| doing for these companies because they want their services.
| Hilift wrote:
| "...but as you can see, there is not a single mitigation that
| Apple implemented to detect commercial spyware samples on the
| device"
| omegacharlie wrote:
| Considering iOS devices are locked down to hell and back and
| achieving reboot persistence is extremely difficult, how hard is
| it to extract a sample of a malware payload in memory for purpose
| of forensics?
| saagarjha wrote:
| Quite difficult on production devices
| bflesch wrote:
| AFAIk it's extremely difficult. Even white-hat iOS forensics
| revolves around (ab)using old exploits in unpatched iPhones in
| order to access data.
| 1oooqooq wrote:
| fun fact: on Android, limiting 2G is a premium feature.
|
| buy top of the line android like pixel pro: there's a huge toggle
| switch "allow 2G".
|
| buy a middle or lower end device, no matter from Samsung,
| Motorola, etc... and for some inexplicable (heh) reason all
| companies decided that paying an engineer to apply a patch to
| remove that toggle from stock android was a solid investment
| :ponderingfaceemoji
|
| you can still disable it with the very user friendly
| *#*#4636#*#*
|
| and then picking any radio preference list that excludes gsm.
| (edit: hn swallows asterisks)
| ugjka wrote:
| nothing happens on my Samsung with that code
___________________________________________________________________
(page generated 2024-12-30 23:01 UTC)