Here we go again: Another example of government surveillance involving smartphones from Apple and Google has emerged, showing just how sophisticated government-backed attacks can be and why keeping mobile platforms completely locked down is warranted.
What happened?
I do not intend to expand too much on the news, but in summary it is the following:
- The Google Threat Analysis Group released information revealing the hack.
- Italian surveillance company RCS Labs created the attack.
- The attack has been used in Italy and Kazakhstan, and possibly elsewhere.
- Some generations of attacks are carried out with the help of ISPs.
- On iOS, attackers abused Apple's enterprise certification tools that allow internal deployment of apps.
- About nine different attacks were used.
The attack works like this: the target receives a unique link that is intended to trick them into downloading and installing a malicious app. In some cases, the spies worked with an ISP to disable data connectivity and trick targets into downloading the app and regaining that connection.
The zero-day exploits used in these attacks have been patched by Apple. It previously warned that bad actors were abusing its systems, allowing companies to distribute apps internally. The revelations tie into recent news from Lookout Labs about enterprise-grade Android spyware called Hermit.
What is at risk?
The problem here is that surveillance technologies like these have been commercialized. This means that capabilities that were historically only available to governments are also being used by private contractors. And that presents a risk, because highly sensitive tools can be exposed, exploited, reverse-engineered, and abused.
As Google put it: “Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically used only by governments with the technical expertise to develop and run exploits. This makes the Internet less secure and threatens the trust that users depend on.
Not only that, but these private surveillance companies allow dangerous hacking tools to proliferate, while putting these high-tech espionage facilities at the disposal of governments, some of whom seem to enjoy spying on dissidents, journalists, political opponents and human rights defenders.
An even bigger danger is that Google is already tracking at least 30 spyware makers, suggesting that the commercial surveillance-as-a-service industry is robust. It also means that it is now theoretically possible for even the least credible government to access tools for such purposes, and since many of the identified threats use exploits identified by cybercriminals, it stands to reason that this is another source of revenue fueling malicious attacks. Search.
What are the risks?
The problem: These seemingly close ties between private surveillance providers and cybercrime don't always work the same way. These exploits, at least some of which seem difficult enough to discover that only governments have the resources to do, will eventually leak.
And while Apple, Google and everyone else remain committed to playing a game of cat and mouse to prevent these types of crimes, shutting down exploits where they can, the risk is that any backdoor or government-mandated breach of device security eventually infiltrates the commercial. markets, from where it will reach criminals.
The European data protection regulator has warned: "The disclosures made about the Pegasus spyware have raised very serious questions about the possible impact of modern spyware tools on fundamental rights, and in particular on the rights to privacy and data protection".
That's not to say there aren't legitimate reasons for security research. Flaws exist in any system, and we need people to be motivated to identify them; Security updates would not exist at all without the efforts of security researchers of all kinds. Apple pays up to six figures to researchers who identify vulnerabilities in its systems.
What happens next?
The EU data protection supervisor called for a ban on the use of NSO Group's infamous Pegasus software earlier this year. In fact, the call went further, directly seeking a "ban on the development and deployment of Pegasus-capable spyware."
The NSO Group is now apparently up for sale.
The EU also said that in the event such exploits are used in exceptional situations, such use would require companies like NSO to submit to regulatory oversight. As part of this, they must respect EU law, judicial review, criminal procedural rights and agree not to import illegal intelligence, politically abuse national security and support civil society.
In other words, these companies must be brought to heel.
what you can do
Following last year's NSO Group disclosures, Apple released the following best practice recommendations to help mitigate these risks.
- Update devices with the latest software, including the latest security patches.
- Protect devices with a password.
- Use two-factor authentication and a strong password for the Apple ID.
- Install apps from the App Store.
- Use strong and unique passwords online.
- Do not click on links or attachments from unknown senders.
Follow me on Twitter or join me at AppleHolic's bar & grill and Apple discussion groups on MeWe.
Copyright © 2022 IDG Communications, Inc.