65 comments

[ 1.5 ms ] story [ 125 ms ] thread
It's 2023, and iPhones are still being hacked with the same broken serialization functions that have been breaking iMessage for literal years. This is Apple apps/services, they continue making these mistakes in new code. People are being persecuted with this, is no one there accountable?
Sometimes I wonder if it’s by design. Israel relies on penetrating everything from iPhones to social media accounts to crush Palestinian resistance and to maintain the authority of the PLO in the west bank by helping it suppress its dissenters. That wouldn’t work if social media and cellular networks were actually secure. That’s not even to mention the obvious advantage of US security apparatus having access to these popular systems.
What incentive for the Apple possibly have to make their phones vulnerable to NSO hacking tools? Apple makes more money than god selling iPhones. The State of Israel’s entire defense budget is about $18B/yr, which is less than Apple’s annual R&D budget. And they have to defend an entire country with that $18B.

The idea that Apple is playing ball with the IDF is frankly ludicrous.

The same reason that any giant company plays ball with the US government: sweetheart deals, favorable treatment, preferential contracts, protection of their interests in both domestic and foreign markets, etc.

Apple regularly gives up users' private data when the government simply asks them to[1], despite spending billions of dollars on "privacy" marketing.

[1] https://www.apple.com/legal/transparency/us.html

Your “when the government asks them to” should read “so that the government doesn’t shut them down.” The two things you mention are not at all comparable. You’re trying to associate them for rhetorical effect, but there’s no analogy here.

Thing 1: Apple complies with US law. How do you think it would work if Apple said “Fuck you” to US law enforcement requests? Can you provide examples of other companies that have done this, or are doing this now, and had it work at all? I can’t think of a single US-based tech company that doesn’t cooperate with law enforcement. At least Apple is transparent about it.

Thing 2: Apple markets privacy — https://www.apple.com/privacy/ They make a bunch of concrete statements, most of which are empirically verifiable. What is wrong with this? Again, can you point to any at-all-similar company that does it better, or more explicitly?

Nope, those are not all responses to subpoenas, warrants, court orders, etc. Apple specifically lists the requests they're legally obligated to respond to in one section, and then lists requests they choose to respond to with users' private data in another.

That's to say that Apple regularly hands over users' private data when simply asked, even if there is no legal obligation to do so, as there is with warrants.

> Apple regularly hands over users' private data when simply asked, even if there is no legal obligation to do so

I'm having trouble finding this part specifically.

Can you point to where that is described, and what some examples are?

"Nice company you've got here. You wouldn't want anything bad to happen to it, right?"
What do “incentives” have to do with anything in a post-Snowden reality?
This is the biggest jump of whattaboutism I've seen in five years.

Jeez, I if I had one wish from a genie some day, it would be to absolutely get rid of the curse that is whattaboutism.

You act like it’s trivial to fix. They’ve already sandboxed the parsers (which this exploit appears to bypass, crashing MessagesBlastDoorService) which massively drives the effort up. They also had to bypass pointer authentication.

Whilst, yes, you can wonder why it isn’t all rewritten in swift (if it isn’t already), exploits will continue to be found and exploited, forever.

It arguably is trivial to fix, if you prioritise fixing this. If you say OK, we want to offer safety first and features are only a nice-to-have, you can make that happen.

Apple have as usual decided that nope, some of their features are a must have and if safety has to be sacrificed to get features well, sucks to be you getting exploited.

Something like Swift isn't up to it. It's less easy to blow your foot off than if you wrote C++ but necessarily (as a general purpose language) you can do it. But what if we give up generality? Languages like WUFFS give up general purpose programming, solving only a narrow problem but doing so with cast iron safety because they're able to prove the system always has valid state. This is entirely appropriate when (as so often) we didn't really need generality, which means having it is a gift for bad guys.

"Lockdown mode" should have begun with stuff that's definitely safe, rather than just arbitrarily picking a smaller set of features in the hope that the smaller surface can be more easily defended.

So how is rewriting it in a safer language not trivial in this example?
Well obviously you can’t just rewrite the particular components used in this exploit chain, as attackers will hit something else next time.

So you’re rewriting practically an entire OS stack from scratch, in a different language (one that is ill-suited for low-level operations needed in many parts of an OS)

I’d say that’s not trivial?

Well, yeah, if you conflate rewriting a component with rewriting the whole OS, it's stops being trivial
Well, someone or a group of people at Apple decided to give untrusted input to NSKeyedUnArchiver(a known exploitable API) in an OS-level service and it seems like no one stopped them or was there to review that code. That seems like a systemic failure to me.

I'm not saying that it's impossible to check in buggy code, but it's possible to have processes to prevent this type of bug nowadays and Apple should have had these 10 years ago.

> In one encouraging sign, some of the most recent attacks failed against users who had activated Apple’s recently introduced Lockdown Mode, which stops some communications from unknown callers and reduces the number of programs that are automatically invoked.

I'd not heard about Apple's "Lockdown Mode" (which applies to both computers and phones). Per a support page[1], there's a lot of small tweaks that reduce convenience of the devices, but it sounds like they will fundamentally still _mostly work_.

Is "Lockdown Mode" a well-known thing that I just missed? It feels like Apple has put a target on things like URL previews for malicious actors, while also labeling the defense mechanism as an expert-only tool.

[1] https://support.apple.com/en-us/HT212650

(comment deleted)
> In one encouraging sign, some of the most recent attacks failed against users who had activated Apple’s recently introduced Lockdown Mode, which stops some communications from unknown callers and reduces the number of programs that are automatically invoked.

I'm a huge fan of the idea of Lockdown Mode and have it enabled on my iPhone and MacBook, but I don't think it has mass adoption or appeal. It certainly needs some tuning before the masses will adopt it. Specifically, people in your Contacts should have the option to be trusted. Right now, FaceTime calls are blocked from them if they are not in your recent calls (an issue for me as I regularly purge my call history) and iMessage content is blocked (Live Photos, documents, etc).

Well that's good at least, I presume if you're under threat of being targeted by an NSO pwn, you're hopefully running lockdown mode.

How crippled does the device feel? Is it usable? The two things you mentioned wouldn't be a problem for me. I've been considering enabling it for a while but wondered how restrictive it will realistically feel.

I'd suggest turning it on and seeing if you can live with it. Some issues that I've had:

1.) FaceTime calls from people not in your recent calls will be blocked with a silent notification. Sometimes I don't see it for hours

2.) Incoming iMessages will be stripped of Live Photos and document attachments

3.) Using Starbucks in a browser did not work until I disabled Lockdown Mode in Safari for the domain. Fortunately these exceptions are easy to make and persist

I'm not a target for state-sponsored attacks but will generally trade usability for security when reasonable.

Losing Live Photos sounds like a feature to me :)

(3) is weird. Conceivably it’s using wasm (I recall many years ago wasm had no interpreter mode, no idea of current state), or webgl (which seems plausibly like something that would be blocked)

Microsoft Edge's Lockdown Mode equivalent ships with a WASM interpreter called DrumBrake: https://microsoftedge.github.io/edgevr/posts/Introducing-Enh...
Yeah sorry I meant to say "wasm in JSC" (which is the only wasm implementation I was ever aware of the technical details for), but was typing on my phone and apparently missed that fairly critical piece of information. Alas it's too late to correct my comment :-/
> How crippled does the device feel? Is it usable?

Not. And yes.

I did some analysis of it when it came out to figure out what all is blocked and such: https://www.sevarg.net/2022/07/20/ios16-lockdown-mode-browse...

Animated gifs in text threads don't animate - which, personally, I consider a feature.

And webfonts aren't loaded, which means a lot of forums that load icons as a webfont have a lot of squares instead of arrows for reply and such.

You can disable it on a per-website basis, and I don't do much in the way of facetime and such, so I've not really noticed it. It does remove a LOT of complex attack surfaces, though, which is worth a lot.

Why should they be running lockdown mode? It says it only blocked some, but not all attacks which means that they were successfully attacked. For a targeted individual who "might be personally targeted by some of the most sophisticated digital threats" that does not cut it when your life is on the line. No, this is a existence proof that the Apple marketing that explicitly states that it can protect against such threats is bullshit and criminally irresponsible.

The only smart thing to do if you are such a individual is to not have a smartphone at all otherwise you are 100% going to be successfully attacked because every commercial smartphone is trivial to hack for a dedicated threat actor. In addition, you should never purchase a smartphone from any existing smartphone vendor for the foreseeable future regardless of what dangerous lies their marketing spins because all of their security organizations are structurally incompetent with respect to protecting against sophisticated digital threats. It would require a wholesale replacement of their security leadership, technology, and ideology for it to even be possible to actually protect against sophisticated digital threats.

I’ve been testing it out and from what I can tell, the HN reply box doesn’t render correctly. It still functions though
Is it supposed to have mass appeal? I thought it was for a small number of people who are such high-value targets that an adversary would be willing to burn a zero-day on compromising them.
Fair enough, but some of the protections in Lockdown Mode seem straightforward enough that I'm not sure why they aren't enabled by default. A couple of examples:

1. Device connections - To connect your iPhone or iPad to an accessory or another computer, the device needs to be unlocked.

2. Configuration profiles - Configuration profiles can’t be installed, and the device can’t be enrolled in Mobile Device Management or device supervision while in Lockdown Mode.

1 would be a pain for wireless carplay. Not the end of the world, but a pain
Hasn't unlocking to use USB been the default for a decade now?
Not quite a decade but ever since Greykey became a thing Apple has locked down USB while locked.
That is Apple's statement, but I'd be surprised if 50% of iOS/macOS users noticed any significant change with lockdown mode on. Unless you are using shared albums or answering unknown facetime calls, there isn't much impact. JIT, WebAssembly, etc. can be re-enabled per site.
If anyone is this concerned there is always the option to downgrade to a dumb phone. Or the classical landline.
For reference, iOS exploits are cheaper than Android exploits because iOS exploits are so plentiful[1][2].

Android being open source makes it easier for more parties to audit the software they run, and not just groups that are paid handsomely to exploit iOS for state sponsored hacking.

[1] https://www.theregister.com/2020/05/14/zerodium_ios_flaws/

[2] http://zerodium.com/program.html

More than open-source, I would say it's also due to the fact that on Android there's no homemade apps with private apis like on iOS.

Apple's security model clearly excludes their own apps and that shows on the issues publicly released.

Secondly, on Android, very few system components are actually tied to the OS version, and it's getting thinner after every version. On iOS it's the norm.

(comment deleted)
Your [1] is 3 years old and has quite a few caveats (temporary situation, non-Zerodium security experts don't quite seem to agree with the decision), and the diagrams in [2] don't seem to show that iOS exploits are any cheaper today.

Moreover, the reasons given in [1] don't include "Android being open-source make it easier to audit".

Is this still true today?

The Zerodium payout structure has not changed in the 3 years since that article's publication[3].

And that is the way news works. It was news 3 years ago when iOS exploits became cheaper, now it's just how the market is.

> Moreover, the reasons given in [1] don't include "Android being open-source make it easier to audit".

From Wired[4]:

> Shwartz credits Android's increased security partly to its open-source strategy finally paying off. While Apple has kept its operating system so locked down that even benevolent security researchers have difficulty sussing out its bugs—a problem it's tried to solve with a recent expansion and opening up of its bug bounty program—Android's open-source approach has meant more eyes on its code. While that broadness initially led to more bugs, those vulnerabilities have been patched over time, slowly hardening the operating system. "So many vulnerabilities have been patched that the attack surface is decreased dramatically," says Shwartz.

[3] https://web.archive.org/web/20201108190905/https://zerodium.....

[4] https://www.wired.com/story/android-zero-day-more-than-ios-z...

Regardless, the diagram on the Zerodium website (at http://zerodium.com/program.html, under "ZERODIUM Payouts for Mobiles") does not seem to indicate that iOS exploits are cheaper. Am I missing something?
The most serious category of attack, a Zero Click FCP, has Android at $2.5M and iOS at $2M. To be fair, the difference is negligible and both are only about as expensive as starting a new McDonalds and easily fall within the scope of a standard small business loan. So yeah, trivially hacking any phone in the world is only within the financial means of around 60 million people in the world.
The main difference on that page isn't between iOS and Android, but server/desktop and mobile. Former is cheap!

Is there anywhere that tracks more current prices?

Zerodium buying mobile exploits for $2-2.5M does not mean that a buyer can go out shopping for an exploit and find one in that price range. Exploits are a highly illiquid market and there is going to be a big bid-ask spread. Plus a lot of middlemen are restricted in various ways in terms of who they sell to. Then there the issue of building an actual capability around the base exploit... There's a reason why we don't have thousands of NSO-like small businesses running around.
(comment deleted)
What the diagram doesn’t tell you is that it is the maximum possible payment for an exploit, and to get it for Android it needs to work on far many more operating system versions than iOS as well as being independent from Google Play Services.

Zerodium pays out based on the maturity of the exploit, how many versions it covers and what are its dependencies and ease of exploit.

This is a double edged sword, because while there might be fewer Android exploits discovered per year, the number of publicly-known and exploitable vulnerabilities in circulation at any given time is almost certainly lower on iOS, where most users have updated to the latest version within two weeks of its release, than on any device in the fragmented Android ecosystem, where only users of devices from proactive vendors even have the option to update their device to the latest version with upstream security patches. And that's assuming their device isn't EOL, which tends to happen more quickly to Android devices than Apple devices, despite the latter's reputation for planned obsolescence.
To nuance that, Android is also much more modular in its updates than iOS, an outdated Android depends on the security flaw itself to be exploitable or not, it really depends. On iOS, the system is exploitable in 100% of the cases if not updated and keeping the system always up to date is even more critical.
I have been wondering what's the actual status of iOS updates outside of the US, or in countries where nobody uses wifi? I just checked that my SO's iOS was on 16.3.1, over 2 months old iOS version.

Apple has decided that iOS should only accept downloading OS updates over wifi. In my country, for example, people don't really set up wifi at home anymore because basically everyone has unlimited cellular data. So they don't need to connect to any wifi at all. All the iOS update statistics seem to come from the US, where everyone relies on wifi.

It seems that on some level, iOS suffers from the same update problem as Android, but only because Apple decided to do so for no reason. Not everyone lives in the US.

Meta: if anyone wants to work at Citizen Lab (Toronto, Canada), they're looking for Manager, Information System Security:

* https://citizenlab.ca/2023/03/manager-information-system-sec...

Would it not be wiser for them to search a candidate rather than ask for one? Or that's how they find out who not to hire?
> Pay Scale Group & Hiring Zone: PM 3 — Hiring Zone: $82,692 – $96,473 — Broadband Salary Range: $82,692 – $137,819

Ouch. Toronto is one of the most expensive cities in North America. If they really want "expert" level skills across a number of infosec areas, they are going to have a lot of trouble finding a candidate that meets their requirements.

CL is affiliated with UToronto, see same job posting at:

* https://jobs.utoronto.ca/job/Toronto-Manager%2C-Information-...

And so uses the same wage schedule as them:

* https://people.utoronto.ca/wp-content/uploads/2022/06/PM-Sal...

* https://people.utoronto.ca/careers/salary-ranges/

> […] they are going to have a lot of trouble finding a candidate that meets their requirements.

Depends on whether they're trying to bring in someone international, or just in the local talent pool. You do get some good benefits: supplemental health stuff and a DB pension.

I started a new position not too long ago where I got a decent salary bump, but if I was still at my old position I would be semi-tempted to at least would apply to see what the environment is about.

Can we mitigate these kinds of attacks by using a data only SIM card? If I use some kind of VOIP service for OTA calls and SMS, the calls would be off the baseband.
None of these attacks involved the baseband, they're exploiting bugs in iOS.
Honestly, whoever the NSO Group hires must be absolute wizards with some of these hacks.

I've read the in-dept writeups on some of the previous ones and they are insane. Combining 5+ seperate problems to finally achieve the goal.

I can't imagine what that interview is like.

Not that I condone any of this stuff, quite the opposite. But from a programming perspective, it's pretty incredible.

The one where they altered a gif to invoke legacy pdf compatibility libraries that was somehow turing complete and used it to bootstrap a VM that performed memory analysis to escape a sandbox was likely the most impressive feat of engineering I have read...ever. I would love to read an entire book about how this was discovered, productized and deployed.

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...

Yep, that one was insane.

These have to be ex-employees of national security groups like the NSA, etc. who are already familiar with this type of stuff. The Stuxnet-type employees who understand everything at the deepest levels and can (and will) do anything to make it happen.

Top-tier engineering. Just used for nerfarious purposes, despite the PR spin.

I'm actually surprised they have a PR person. "Um, nothing to see here!" would be my standard response.

The important takeaway is that the vulns they were using have been fixed in the latest iOS 16 updates, which is a far faster response than the old NSO imessage zeroday which took Apple over a year to figure out.
[dead]
Apple has been kind of forced into the open source model by tools like Corellium[1] and some source code leaks. This means that the black box advantage that iOS has had is no longer as significant. Apple's move with the Security Research Device Program[2] proves this point. They wouldn't be offering it if they didn't think it was a serious problem for them.

[1] https://www.corellium.com/ [2] https://security.apple.com/research-device/