British spy agency said to target Apple's iPhone with remote surveillance exploit kit

2

Comments

  • Reply 21 of 51
    patsupatsu Posts: 430member
    pmz wrote: »
    Sooner or later people will come out of denial and will understand that these reports are WAY understated and only a small part of the overall story. Every smartphone in the world, especially the iPhone, can be invisibly hacked and can be used to spy on the owner.

    I know how badly some of you want to trust Apple, and even crazier, want to trust the gov, but that's not the real world.

    The report is outdated. These remote exploits are all possible with jailbreaks and open source software. In 2010, iOS had a remote PDF jailbreak exploit that was fixed.

    Since then, iOS and Mac security have beefed up significantly. It's now sandboxes everywhere compared to 2010. It will continue to be a cat and mouse game as Apple rewrite their software frequently.

    But the NSA is resourceful. If they can't do it remotely, they will try to gain physical access to your devices. It doesn't have to be a phone. They can pick the easier ones to start.

    If they can't get to your devices, they will try to sieve the network traffic, or target the servers at the same time.
  • Reply 22 of 51
    patsupatsu Posts: 430member
    gatorguy wrote: »
    Rovio, one of the app providers mentioned in yesterdays' report has issued a statement, a portion of it sayin:

    "The alleged surveillance may be conducted through third party advertising networks used by millions of commercial web sites and mobile applications across all industries. If advertising networks are indeed targeted, it would appear that no internet-enabled device that visits ad-enabled web sites or uses ad-enabled applications is immune to such surveillance. Rovio does not allow any third party network to use or hand over personal end-user data from Rovio’s apps."
    http://www.rovio.com/en/news/press-releases/450/rovio-does-not-provide-end-user-data-to-government-surveillance-agencies/

    FWIW Millennial Media has been mentioned in connection with the story. In an unusually timed announcement yesterday their CEO and founder tendered his resignation, effective immediately.
    http://articles.baltimoresun.com/2014-01-27/business/bs-bz-millennial-media-palmieri-20140127_1_ceo-paul-palmieri-millennial-media-jumptap

    EDIT: In the 23 different tracking ad providers working in AppleInsider at the moment I don't see Millennial Media.

    Those are different mechanism altogether from the jailbreak, rootkit type exploit.

    They are more like user tracking in popular social networks today. Users are already volunteering a lot of location, preferences and relationship data to feed their favorite services. They only need to intercept the network and servers to get more info.

    If the users sets the preferences to stop cookie or any form of tracking, the OS, app and service providers have to stop doing so.
  • Reply 23 of 51
    gatorguygatorguy Posts: 23,321member
    patsu wrote: »

    If the users sets the preferences to stop cookie or any form of tracking, the OS, app and service providers have to stop doing so.

    Why? At least in the US it's not illegal to ignore "Do Not Track" and many do.
  • Reply 24 of 51
    patsupatsu Posts: 430member
    gatorguy wrote: »
    Why? At least in the US it's not illegal to ignore "Do Not Track" and many do.

    Ah, then it is piece of cake for NSA to track you. ^_^

    They don't even need to jailbreak your phone to track your activities online. Everything has been harvested by the ads people on the server side. And big and small companies share data between each other.
  • Reply 25 of 51
    charlitunacharlituna Posts: 7,217member
    Three year old doc which means that it may have been invalidated by iOS 5 etc.

    And likely requires either physical access to a non passcoded device. Or for said device to be jailbroken to allow for side loading and the user to install the exploit themselves through some kind of Trojan horse move.
  • Reply 26 of 51
    charlitunacharlituna Posts: 7,217member
    gatorguy wrote: »
    Unless Apple, Google, MS and other OS providers were aware of the NSA spying and all the ways it was being accomplished I personally think it's ridiculous to assume that the holes they were using are all closed by happenstance. We're just now becoming aware of how pervasive it is, with both Apple and Google claiming they had no idea themselves.

    Any sort of exploit in iOS that the NSA etc might use are the same sort of thing that jailbreak developers might use. So no it wouldn't be happenstance so much as Apple trying to cure rabies and 'accidentally' cured cancer as well
  • Reply 27 of 51
    Those 'always on' connected location services rather than more standard Airplane mode GPS services are no Secret Service.
    Those added beacons mean location services are ultra important to the future of Apple, secret or no secret services.

    I'm still sort of waiting to see a cursing email when Apple truncated that user lifetime location database on the iPhone.
  • Reply 28 of 51
    Well this can't be right. Everyone knows that the US is the only country that ever spies on anyone and that they've only been doing it for the last couple of years.
  • Reply 29 of 51
    gatorguygatorguy Posts: 23,321member
    patsu wrote: »
    Ah, then it is piece of cake for NSA to track you. ^_^

    They don't even need to jailbreak your phone to track your activities online. Everything has been harvested by the ads people on the server side. And big and small companies share data between each other.

    Yup, a lotta sharing going on. You're getting there.
  • Reply 30 of 51
    Originally Posted by AppleInsider View Post

    GCHQ Warrior Pride

     

    I’d forgotten how butt-wipingly ugly a presentation slide could be. Someone needs to splurge and pay the $20 for Keynote.

  • Reply 31 of 51

    Apple and Samsung may have vastly improved the security on their devices.  But how secure are the facilities when phone components are designed, manufactured, or assembled?  These have to be tempting targets.  What's to stop an Apple (or a contractor) engineer, who's really a covert agent, from compromising the chip, ROM, or something?  Or compromising core software at the source where its written?  I don't think it would be difficult for a major intelligence agency to infiltrate any tech company they've targeted.  Especially with so much to gain.  We already know the NSA has actively tried to compromise encryption standards (and who knows what else) - right at the source.  Going to the source may be the emerging strategy.

  • Reply 32 of 51

    In 5 years when we find out that NSA and GCHQ had remote access to IOS-7 all along, we won't care because we'll all believe that IOS-9 is leaps and bounds ahead of  IOS-7 in terms of security.

  • Reply 33 of 51
    patsupatsu Posts: 430member
    Quote:
    Originally Posted by Apres587 View Post

     

    Apple and Samsung may have vastly improved the security on their devices.  But how secure are the facilities when phone components are designed, manufactured, or assembled?  These have to be tempting targets.  What's to stop an Apple (or a contractor) engineer, who's really a covert agent, from compromising the chip, ROM, or something?  Or compromising core software at the source where its written?  I don't think it would be difficult for a major intelligence agency to infiltrate any tech company they've targeted.  Especially with so much to gain.  We already know the NSA has actively tried to compromise encryption standards (and who knows what else) - right at the source.  Going to the source may be the emerging strategy.

     


    Welp, what's to stop tainted components in your router, PC and [drum roll~] servers ?

    [EDIT: Incidentally, this is why I'm very curious about a US designed and built Mac Pro]

     

    If you want to look at human vulnerability, it won't be just Samsung and Apple. People running Google, Microsoft, Amazon, Facebook, etc. services can be tempted, fooled or threatened too. There are even richer user data in those environments, nicely analyzed and profiled.

     

    Snowden himself is a great example of an inside "threat".

     

    Quote:
    Originally Posted by patpatpat View Post

     

    In 5 years when we find out that NSA and GCHQ had remote access to IOS-7 all along, we won't care because we'll all believe that IOS-9 is leaps and bounds ahead of  IOS-7 in terms of security.




    It's always a cat and mouse game. In a connected world, when there are easier ways to get the same data, then NSA or the bad guys will go there first.

     

    If Apple do it right, iOS9 should indeed be ahead of iOS7. I doubt they will throw their hands up. Doesn't make sense.

  • Reply 34 of 51
    gustavgustav Posts: 826member
    gatorguy wrote: »
    Unless Apple, Google, MS and other OS providers were aware of the NSA spying and all the ways it was being accomplished I personally think it's ridiculous to assume that the holes they were using are all closed by happenstance. We're just now becoming aware of how pervasive it is, with both Apple and Google claiming they had no idea themselves.

    Who said anything about happenstance? It's not like tha NSA has secret exploits that no other hacker can figure out for themselves. In four years there has been numerous security fixes, architectural changes, and OS updates. And there are audits going on constantly. I'd be amazed if any of toes exploits still worked, and it's getting harder and harder to find new ones.
    apres587 wrote: »
    Apple and Samsung may have vastly improved the security on their devices.  But how secure are the facilities when phone components are designed, manufactured, or assembled?  These have to be tempting targets.  What's to stop an Apple (or a contractor) engineer, who's really a covert agent, from compromising the chip, ROM, or something?  Or compromising core software at the source where its written?  I don't think it would be difficult for a major intelligence agency to infiltrate any tech company they've targeted.  Especially with so much to gain.  We already know the NSA has actively tried to compromise encryption standards (and who knows what else) - right at the source.  Going to the source may be the emerging strategy.

    While such scenarios are possible, source code is audited, as are chip designs. One would have to place a lot of covert agents in a lot of key positions for this to be plausible.
  • Reply 35 of 51
    steven n.steven n. Posts: 1,226member
    gatorguy wrote: »
    Not likely. Instead they've almost assuredly improved their spying capabilities several times over in the 5 years since.

    It is 100% likely. This is from 2010. So we are talking iOS 3 or so for the exploits in this slide.
  • Reply 36 of 51
    steven n.steven n. Posts: 1,226member
    gatorguy wrote: »
    Unless Apple, Google, MS and other OS providers were aware of the NSA spying and all the ways it was being accomplished I personally think it's ridiculous to assume that the holes they were using are all closed by happenstance. We're just now becoming aware of how pervasive it is, with both Apple and Google claiming they had no idea themselves.

    All of these companies were quite aware of holes in their OS by the hundreds of exploits (root kits and jailbreaks) presented by hackers. There is little doubt the NSA uses the same basic exploits and must find new ones every time Apple and Google close a hole. And yes, many exploits can be closed by happenstance.
  • Reply 37 of 51
    droidftwdroidftw Posts: 1,009member
    Quote:

    Originally Posted by patpatpat View Post

     

    In 5 years when we find out that NSA and GCHQ had remote access to IOS-7 all along, we won't care because we'll all believe that IOS-9 is leaps and bounds ahead of  IOS-7 in terms of security.


     

    While I agree with what you're getting at, there isn't much need for the NSA to backdoor iOS 7.  Apple is already on board with the PRISM program and willingly hands over information.

  • Reply 38 of 51
    adamcadamc Posts: 582member
    Quote:

    Originally Posted by patsu View Post





    The report is outdated. These remote exploits are all possible with jailbreaks and open source software. In 2010, iOS had a remote PDF jailbreak exploit that was fixed.



    Since then, iOS and Mac security have beefed up significantly. It's now sandboxes everywhere compared to 2010. It will continue to be a cat and mouse game as Apple rewrite their software frequently.



    But the NSA is resourceful. If they can't do it remotely, they will try to gain physical access to your devices. It doesn't have to be a phone. They can pick the easier ones to start.



    If they can't get to your devices, they will try to sieve the network traffic, or target the servers at the same time.

     

    Another point, how is that Snowdon did't and couldn't release the latest spying activities through exploits on the smartphones. 

     

    Whatever he had released are dated years back and nothing current.

  • Reply 39 of 51
    gatorguygatorguy Posts: 23,321member
    adamc wrote: »
    Another point, how is that Snowdon did't and couldn't release the latest spying activities through exploits on the smartphones. 

    Whatever he had released are dated years back and nothing current.

    I don't think we know if he can't or instead just hasn't. . . yet. The information has been trickling out for weeks now. I'm guessing we haven't seen nearly all of it with much more to come.
  • Reply 40 of 51
    gatorguygatorguy Posts: 23,321member
    steven n. wrote: »
    All of these companies were quite aware of holes in their OS by the hundreds of exploits (root kits and jailbreaks) presented by hackers. There is little doubt the NSA uses the same basic exploits and must find new ones every time Apple and Google close a hole. And yes, many exploits can be closed by happenstance.

    So just to be clear, your opinion is that iOS is hardened against any possible exploits and only users of other OS'es have anything to be concerned about? Or is it all of the major operating systems have been improved by previous hacker exploits and security breaches so that no users need to be concerned any longer?
Sign In or Register to comment.