> Apple is aware of a report that this issue may have been actively exploited.
> CVE-2023-41061: Apple
So if Apple discovered this bug, and Apple saw it exploited in the wild, the question needs to be asked... How did Apple find it in the wild? Was one of their own employees phished? Do they have monitoring on every phone to upload suspicious binaries running as root to the mothership?
> Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.
iOS can send diagnostic logs and crash reports. If the exploit crashed the app instead of running successfully, then that would likely appear in the report. Unusual stack traces can indicate RCE or other exploits.
iMessage passes through their servers so I would not be surprised if they look for anomalous senders or whatever other metadata isn’t encrypted, and they can correlate that with things like crash dumps or potentially other unusual activity by the recipient.
In general, are these exploits in memory only? If I reboot my phone, is that likely to impact anything? Or is it usually possible to persist them to the file system?
You have secure chain of boot so you can't launch the malicious stuff on boot.
But - this doesn't prevent you once you have root to modify some app and system settings for the phone to reinfect itself eventually (proxies, vpn, who knows what)
Serious question, if the NSO group is actively creating spyware - how have we not sanctioned them?
Heck this would probably need to be escalated to threaten the host country of the company with consequences if they're giving safe haven to a known bad actor.
21 comments
[ 2.6 ms ] story [ 69.4 ms ] thread> CVE-2023-41061: Apple
So if Apple discovered this bug, and Apple saw it exploited in the wild, the question needs to be asked... How did Apple find it in the wild? Was one of their own employees phished? Do they have monitoring on every phone to upload suspicious binaries running as root to the mothership?
https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zer...
But - this doesn't prevent you once you have root to modify some app and system settings for the phone to reinfect itself eventually (proxies, vpn, who knows what)
Regardless, persistence is hard, which is why NSA and others recommend shutting off your phone at least once per week.
NSO group iPhone zero-click, zero-day exploit captured in the wild - https://news.ycombinator.com/item?id=37425007 - Sept 2023 (30 comments)
Heck this would probably need to be escalated to threaten the host country of the company with consequences if they're giving safe haven to a known bad actor.
https://www.nytimes.com/2023/04/02/us/politics/nso-contract-...