Spyware expert: Apple has a ‘MAJOR blinking red five-alarm-fire problem’

Bill Marczak, a security researcher who has made a study of the NSO Group’s Pegasus tool, posted this Twitter thread Sunday:

@AmnestyTech saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at @citizenlab also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.

It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain’t solving.

Phone logs show that (at least some of) the iOS 13.x and 14.x zero-click exploits deployed by NSO Group involved ImageIO, specifically the parsing JPEG and GIF images. ImageIO has had more than a dozen high-severity bugs reported against it in 2021.

BlastDoor is a great step, to be sure, but it’s pretty lame to just slap sandboxing on iMessage and hope for the best. How about: “don’t automatically run extremely complex and buggy parsing on data that strangers push to your phone?!”

My take: I pay Apple a premium so I don’t have to worry about this kind of crap. You’ve been warned, Cupertino. Clock’s a-ticking.

24 Comments

  1. Romeo A Esparrago Jr said:
    I’m confident Apple has dropped its elite smokejumpers on this already even before Sunday’s Twitter.

    3
    July 19, 2021
  2. Kirk DeBernardi said:
    “My take: I pay Apple a premium so I don’t have to worry about this kind of crap. You’ve been warned, Cupertino. Clock’s a-ticking.”

    As long as we have connected devices, we get to “worry”, no matter how much money we spend.

    The sad truth of it all.

    7
    July 19, 2021
  3. Bart Yee said:
    There are multiple reports on this Pegasus Spyware issue coming out, I’ve forwarded the WashPo, 9to5Mac, MacRumors and Guardian article links to PED. Gonna be a big headache PR wise for Apple (and Android since it has been used against Android products too).

    Shows us that the hacker backdoors and exploits “sold to governments only” are obviously not well vetted or controlled once out there. Will Apple go after this company from a legal standpoint since they are compromising Apple’s products and software?

    3
    July 19, 2021
  4. Robert Varipapa said:
    Just to be clear, one just has to send you a message and you’re compromised (without even opening the message?)

    2
    July 19, 2021
    • Jerry Doyle said:
      @Robert Varipapa: “zero-click iMessage exploit.” Seems that way Robert. I’ve notice the past six months or so text messages coming to my iPhone telephone number having multiple telephone numbers with my number as one of those multiple telephone numbers. All the numbers are in numerical order. Example: 795-0410, 795-0411, 795-0412, and upward to ten numbers. No links to click, just a text sent to me from some number not in my contacts and a text message making no sense. I delete them all. Bill Marczak, though, is saying receiving is gifting and deleting is too late.

      0
      July 19, 2021
  5. Rodney Avilla said:
    “My take: I pay Apple a premium so I don’t have to worry about this kind of crap. You’ve been warned, Cupertino. Clock’s a-ticking.”

    2 thoughts. 1. What are you gonna do when the clock’s done ticking?
    2. If you know of a safer phone operating system, please fill us in.

    4
    July 19, 2021
    • Jerry Doyle said:
      “…. 2 thoughts. 1. What are you gonna do when the clock’s done ticking?
      2. If you know of a safer phone operating system, please fill us in.”

      PED plans to purchase himself an Xiaomi phone. 🙂

      0
      July 19, 2021
      • Bart Yee said:
        Heh, there’s a phone being touted as uncensorable, having no ties to IOS or Android, retails for $500 and cloaked in the flag and specific interests including certain social media apps. Ironically, it is a rebranding of the Umidigi A9 Pro, a Chinese OEM phone that one can get for $120 on AliExpress (so a 4X markup), and of course, it actually runs off a tweaked version of Android but has all its apps side-loaded from its own App Store. It even has Fortnite pre-loaded!!. Many of its promoters suggest using promo codes which appears to earn them a cut. Unsurprisingly, no tech specs have yet been published or available for review.

        Wonder if the Pegasus Android exploits named Chrysaor will be aimed there too?

        0
        July 19, 2021
    • David Emery said:
      Just because the alternatives are worse is NO EXCUSE for iOS to have these kinds of vulnerabilities! The rules for secure software are well-known. Apple has demonstrated -in general- it can do this, but it’s pretty clear their image processing code needs an end-to-end scrub.

      Frankly, these problems will continue as long as software developers get away with disclaims of liability for their bugs as part of shrink-wrap licenses.

      0
      July 19, 2021
      • Rodney Avilla said:
        I don’t think anyone is claiming excuses. Not Apple, not Apple defenders. But to find the reasons for such breaches, one only has to look at the nature of the beast. Apple reaches into every area of our life thru the WWW. The software is extremely complicated. When you combine the fact that vulnerabilities exist that even the engineers who wrote the software or not aware of, with very intelligent people with evil intentions, problems will be hard to prevent 100%. But I believe that is Apple‘s intentions.

        1
        July 19, 2021
      • Bart Yee said:
        PED, It is quite possible the exploits also load themselves into your backups, iCloud or other apps which you would use regularly so restoring from a backup could still reintroduce exploits into a virgin device, let alone cross transfer from an existing iPad or even Mac? The exploits hide deep inside even root kernals and are by nature quite difficult to find and even possess a self-destruct mechanism to hide its tracks or evade detection.

        The only way to ensure freedom from this with a new iPhone is to have a completely new number, iOS account, online and working identity and make sure no one, I mean no one, has that number tied to you. As a journalist, technically you could be a target. And then even consider this a “burner” iPhone to be replaced periodically.

        Of course, this is quite burdensome for most if not all iOS users, so Apple jobs is to plug all these holes and to fortify barriers to loading, maybe even dedicating a core to rooting out malicious code if it can, a self-policing iOS security detail perhaps, one that can look into any part of the entire system and ensure it is what it’s supposed to be.

        Unfortunately that would then be the next target of hackers.

        1
        July 19, 2021
  6. Peter Kropf said:
    I have a friend who is a high end security consultant.

    He uses a dumb mobile.

    When I tell him that my iPhone is comparatively secure, he smiles and says, “All smartphones are hackable and will be forever.”

    With this report, I finally understand the meaning of his smile.

    1
    July 19, 2021
    • David Emery said:
      I don’t buy the argument “all phones are hackable and will be forever.” We -know- how to produce bug-proof software. We’re just not willing to pay the cost! It’s much easier to throw bodies at a problem, throw the code out, and then disclaim any responsibility for when it breaks.

      And your security consultant friend should be worried about anything with software in it, if he believes that. Good luck trying to find something that does NOT have software in it these days!

      1
      July 19, 2021
      • Peter Kropf said:
        “And your security consultant friend should be worried about anything with software in it,…”

        That’s what he’s paid for. To worry and protect.

        He says everything is hackable including the NSA, CIA, and GRU (Russian spook house).

        0
        July 20, 2021
  7. Gregg Thurman said:
    NortonSymantec loves reports like this. MacOS 10 hurt them both, badly.

    I’m not worried. There are over which I have control, and things I don’t. This is one of those things I can’t control. I did delete my banking app though and won’t access it via my iPhone until Apple has a fix.

    1
    July 19, 2021
  8. Hugh Lovell said:
    Does anyone know how to tell if this exploit has been installed?

    0
    July 19, 2021
  9. Alan Birnbaum said:
    I received a nasty , unsolicited txt via iMessage yesterday which appears to have been sent to 19 other cell #’s ( I don’t recognize any). I saw the preview but deleted it then. ( is this a zero exploit ? ). How does one ✔️ If it was ?
    Thx
    AJB

    0
    July 19, 2021
  10. David Emery said:
    Software quality assurance is one of the few things where you -can- throw money at the problem and get a substantial benefit. Apple needs to increase its SQA, not just for cyber vulnerabilities, but for bugs in its products in general.

    0
    July 19, 2021
  11. Filter Unknown Senders in Settings, Messages. Leave Unknowns alone until the update comes out tomorrow or whenever. Some could read their Messages on a Mac until iOS is updated.

    0
    July 19, 2021
    • Dan Scropos said:
      Thank you, Thomas! I didn’t know about this but turned it on. Hoping it helps.

      0
      July 19, 2021
  12. David Emery said:
    Does iOS 14.7 fix this problem?

    0
    July 20, 2021

Leave a Reply