Government Hackers Targeted iPhones Owners With Zero-Days, Google Says (techcrunch.com) 11
Government hackers last year exploited three unknown vulnerabilities in Apple's iPhone operating system to target victims with spyware developed by a European startup, according to Google. TechCrunch: On Tuesday, Google's Threat Analysis Group, the company's team that investigates nation-backed hacking, published a report analyzing several government campaigns conducted with hacking tools developed by several spyware and exploit sellers, including Barcelona-based startup Variston. In one of the campaigns, according to Google, government hackers took advantage of three iPhone "zero-days," which are vulnerabilities not known to Apple at the time they were exploited. In this case, the hacking tools were developed by Variston, a surveillance and hacking technology startup whose malware has already been analyzed twice by Google in 2022 and 2023.
Google said it discovered the unknown Variston customer using these zero-days in March 2023 to target iPhones in Indonesia. The hackers delivered an SMS text message containing a malicious link that infected the target's phone with spyware, and then redirected the victim to a news article by the Indonesian newspaper Pikiran Rakyat. Google did not say who was Variston's government customer in this case.
Google said it discovered the unknown Variston customer using these zero-days in March 2023 to target iPhones in Indonesia. The hackers delivered an SMS text message containing a malicious link that infected the target's phone with spyware, and then redirected the victim to a news article by the Indonesian newspaper Pikiran Rakyat. Google did not say who was Variston's government customer in this case.
Like autorun.inf days (Score:4)
Seriously who at apple thought it would be a good idea to have their default and only allowed messenger app literally open the attachments on behalf of the user without any interaction required? Who needs to throw a USB drive over the fence when Apple will just go plug it in for you anyways?
Re:Like autorun.inf days (Score:4, Interesting)
Seriously who at apple thought it would be a good idea to have their default and only allowed messenger app literally open the attachments on behalf of the user without any interaction required? Who needs to throw a USB drive over the fence when Apple will just go plug it in for you anyways?
That's not quite accurate. As the summary and article notes, the text contained a link. Simple URL, not an attachment. It was taking advantage of flaws in the link-preview functionality to achieve a remote exploit, basically breaking out of the WebKit browser sandbox. Android has suffered from such flaws as well--indeed, a lot of apps in general (Discord, Slack, etc.) have had link-preview exploits. So, iOS Messages was not executing just any random "attachment" or binary sent via text. Apple's not quite THAT dumb.
Nonetheless, there IS stupidity to be pointed out, since such flaws can be easily mitigated simply by turning off link previews (I personally loathe link previews in any application and disable them wherever possible). Sure, it doesn't fix the underlying bug, and if the user actually visits the link, they can still be exploited. But at least when link previews are turned off, the exploit is not automatic, and requires user interaction. You know, don't click on links from unknown senders, that sort of thing.
So how do you turn off link previews in iOS? You don't, not anymore. You used to be able to, of course. iOS had that option for YEARS, but for some idiotic reason Apple decided to remove it in 2022 (may've been late 2021). Yes, that recently. After numerous link-preview exploits in iOS and Android and all sorts of apps, Apple thought it somehow a good idea to remove the (again, already existing) option to turn this functionality off.
There is still one way left, the new "Lockdown Mode", but that turns off a whole host of things a user might otherwise want. Why Apple stripped the simple preview on/off option out when iOS had had it for so long, is a goddamn mystery.
Re: Like autorun.inf days (Score:4, Informative)
So, iOS Messages was not executing just any random "attachment" or binary sent via text. Apple's not quite THAT dumb.
Perhaps not this particular exploit, but they really do that. What's worse, is they do it with what is perhaps the most well known attack vector: PDFs. This was even going on for four years and only discovered a few months ago.
https://9to5mac.com/2023/12/27... [9to5mac.com]
The PDF itself loaded a true type font, which itself had an exploit to an apple specific weakness that has apparently existed for decades. No user interaction required. IIRC PNG was also similarly exploited in imessage once so this really isn't something Apple simply failed to consider it made an oversight on, they know about it and they don't seem bothered by it.
This is akin to having an email client that just opens all of your attachments for you. AND it always runs, AND you can't turn it off.
On a tangent: Props to Microsoft for rewriting their font engine in rust. Sure the "rewrite is better" argument applies, but font parsing is notoriously error prone. Add memory errors on top of it, and as history has shown, you've got an exploit just waiting to happen.
Re: (Score:3)
Seriously who at apple thought it would be a good idea to have their default and only allowed messenger app literally open the attachments on behalf of the user without any interaction required? Who needs to throw a USB drive over the fence when Apple will just go plug it in for you anyways?
That's not quite accurate. As the summary and article notes, the text contained a link. Simple URL, not an attachment. It was taking advantage of flaws in the link-preview functionality to achieve a remote exploit, basically breaking out of the WebKit browser sandbox. Android has suffered from such flaws as well--indeed, a lot of apps in general (Discord, Slack, etc.) have had link-preview exploits. So, iOS Messages was not executing just any random "attachment" or binary sent via text. Apple's not quite THAT dumb.
Nonetheless, there IS stupidity to be pointed out, since such flaws can be easily mitigated simply by turning off link previews (I personally loathe link previews in any application and disable them wherever possible). Sure, it doesn't fix the underlying bug, and if the user actually visits the link, they can still be exploited. But at least when link previews are turned off, the exploit is not automatic, and requires user interaction. You know, don't click on links from unknown senders, that sort of thing.
So how do you turn off link previews in iOS? You don't, not anymore. You used to be able to, of course. iOS had that option for YEARS, but for some idiotic reason Apple decided to remove it in 2022 (may've been late 2021). Yes, that recently. After numerous link-preview exploits in iOS and Android and all sorts of apps, Apple thought it somehow a good idea to remove the (again, already existing) option to turn this functionality off.
There is still one way left, the new "Lockdown Mode", but that turns off a whole host of things a user might otherwise want. Why Apple stripped the simple preview on/off option out when iOS had had it for so long, is a goddamn mystery.
I'm not saying in-line media previews are a placeholder for future integrated advertising or "engagement", but, well...
In the past 5 years whenever a piece of technology changes in a seemingly dumb way - or changes at all, really - "follow the money" comes down to "How will this create a new user interaction layer or change an existing operating-expectation to habituate users to looking at or clicking on [thing], and how might [thing] be monetized with sponsored content or behavioral-data slurping in the fu
This summarizes the problem (Score:2)
Google did not say who was Variston's government customer in this case.
It must be a gov't that Google doesn't want to piss off. I have China in the pool.
Re: (Score:1)
Re: This summarizes the problem (Score:4, Insightful)
The Chinese government is kind of notorious for tracking Chinese citizens abroad. I'd be curious if this was yet another case of that.