NSO malware accessed executive's iPhone within minutes

Posted:
in iPhone
While the Pegasus software accessed the man's iPhone while he was in the company's offices, the attack was not wide, and the entrepreneur had volunteered his phone.

NSO Group's Pegasus


An entrepreneur, who works for an unnamed Israeli company, told Vice's Motherboard website this week that when he visited the offices of Spyware vendor NSO, he was asked if he wanted to receive a demo of the company's notorious Pegasus spying software.

When he volunteered a secondary iPhone and placed the phone on his desk, the NSO personnel compromised the phone within "5 to 7 minutes," placing the phone's screen on a large display in the room, accessing photos, emails, and even the microphone. And they got access without even getting the executive to click on a link.

It's an impressive feat, but the hacking of the phone was of only one target, one who had volunteered his phone and phone number. NSO, Vice said, had been known to do such things during demonstrations.

NSO Group, founded in 2010 in Israel, has often been controversial, with critics accusing it of helping governments crack down on political dissidents. In July a disgruntled NSO employee was indicted for stealing and attempting to sell the Pegasus code.

Apple has, multiple times in recent years, released patches in iOS and macOS to address vulnerabilities exploited by Pegasus.

NSO Group provided Vice with a statement in which it laid out its policies, including that signing up new clients requires permission and an export license from Israel's ministry of defense. Also, its product "cannot work" inside the United States.

"NSO's Business Ethics Committee, which includes outside experts from various disciplines, including law and foreign relations, reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use," the company said in that statement to the publication.
«1

Comments

  • Reply 1 of 24
    lkrupplkrupp Posts: 6,690member
    So? I’m not exactly shaking in my boots over this. Or should I just chuck my iPhone and get a Galaxy S9 to be more secure?
    cornchiplostkiwiredgeminipa
  • Reply 2 of 24
    cpsrocpsro Posts: 2,440member
    For starters, what version of iOS was installed, what model iPhone, was the device unlocked, and (presumably) what if anything was plugged into the Lightning port?
    edited September 2018 eriamjhmac_dogMplsPcornchip
  • Reply 3 of 24
    This article is very short on details.

    "but said that NSO would have to target his other iPhone, which he brought with him and had a foreign phone number"

    Curious why they had to use his "other" iPhone and not his primary iPhone. Was it because of the phone number/carrier? Was it on a different version of iOS? Was it an older device?

    "
    He gave NSO that phone number and put the phone on the desk."

    Again, short on details. What does "put the phone on the desk" actually mean? Did he lay it down and they were able to get access via wireless (WiFi, BT or cellular), or did they connect the iPhone to a computer?


    While this is interesting, without these types of details it's hard to judge how serious this actually is.
    mac_dogols
  • Reply 4 of 24
    eriamjheriamjh Posts: 1,106member
    As much as I’d love to be skeptical about their abilities, I believe it wholly.  Apple has had exploits in their OS since day one.  Jail breakers have been exploiting errors for years.   

    Imagine a company of nerds who who do this day in and day out? I think no prob.  Between weak passwords, stack overflows, bizarre characters crashing iMessage, there have been tons of problems released publicly.  Now imagine what hasn’t been made public.   
    ols
  • Reply 5 of 24
    I agree.  Not enough details...

    As a general best practice, people should reduce surface area vulnerability of their devices. For example, I have both WiFi and Bluetooth disabled. (Unless being used)

    I’ve also disabled the login using biometrics.  And, I have my devices patched (lastest OS).  My password length/complexity is supposedly enough to keep it from being cracked in my lifetime.

    Am I safe? No.  But, I’m not a member of the “low hanging fruit” for attackers.
    viclauyyc
  • Reply 6 of 24
    gatorguygatorguy Posts: 20,008member
    I agree.  Not enough details...

    As a general best practice, people should reduce surface area vulnerability of their devices. For example, I have both WiFi and Bluetooth disabled. (Unless being used)

    I’ve also disabled the login using biometrics.  And, I have my devices patched (lastest OS).  My password length/complexity is supposedly enough to keep it from being cracked in my lifetime.

    Am I safe? No.  But, I’m not a member of the “low hanging fruit” for attackers.
    You may already know, but disabling wifi and bluetooth from Control Center may not really turn those services off entirely. In fact bluetooth/wifi will automatically turn itself back on every day (at 5am ?) without the user requesting it AFAIK., at least in iOS11.x.  Use "Settings" or a Siri request instead to turn those off. Apple has business reasons to keep those services available for "other uses", thus the defaults that attempt to keep them running. 
    https://appleinsider.com/articles/17/11/13/latest-ios-112-beta-clarifies-that-control-center-doesnt-fully-disable-wi-fi-and-bluetooth
    edited September 2018 muthuk_vanalingam
  • Reply 7 of 24
    I agree.  Not enough details...

    As a general best practice, people should reduce surface area vulnerability of their devices. For example, I have both WiFi and Bluetooth disabled. (Unless being used)

    I’ve also disabled the login using biometrics.  And, I have my devices patched (lastest OS).  My password length/complexity is supposedly enough to keep it from being cracked in my lifetime.

    Am I safe? No.  But, I’m not a member of the “low hanging fruit” for attackers.

    Don't you mean "low hanging desserts"?
  • Reply 8 of 24
    That is one weird lede.
    StrangeDays
  • Reply 9 of 24
    It was only one phone. I'm not worried. Apple builds in security ffrom the ground up.
    magman1979
  • Reply 10 of 24
    That is one weird lede.
    Yeah it's really poorly written. It's referring to a subject ("the man") who isn't even mentioned before this except in the headline. Typically the headline isn't assumed to have been read and the lede and paragraph are self-contained. 
    king editor the grate
  • Reply 11 of 24
    chasmchasm Posts: 1,151member
    Yes, this article is not up to AI's usual standards. Odd subhead, short on necessary detail, doesn't explain anything about what methods were used. It's like reading about a magic show: "and then ... the lady VANISHED!"
    lkruppking editor the gratemagman1979
  • Reply 12 of 24
    Rayz2016Rayz2016 Posts: 4,556member
    That is one weird lede.
    Yeah it's really poorly written. It's referring to a subject ("the man") who isn't even mentioned before this except in the headline. Typically the headline isn't assumed to have been read and the lede and paragraph are self-contained. 
    Yes, looks like the first paragraph ended up in the wrong place and no one spotted it. 

     Can’t beat a quick proofraed. 
  • Reply 13 of 24
    nunzy said:
    It was only one phone. I'm not worried. Apple builds in security ffrom the ground up.

    This one is not funny.
    nunzy
  • Reply 14 of 24
    edited September 2018 magman1979
  • Reply 15 of 24
    gatorguygatorguy Posts: 20,008member
    So it requires no physical access to the phone, entirely remote and OTA (altho the phone needs to be in the general area of the injection device but the distance isn't specified. Perhaps a bluetooth thing?), and self destructs if looking for it.

    It can turn on cameras and microphone and other services, read all emails and messages, and see all photos, files and passwords. Needs no "partners" to operate (ie network providers and such), beats encryption protocols,  leaves no traces of being used on the device, and totally transparent to the user. If OTA injection isn't available for whatever reason it can be physically installed on even a locked device in under 5 minutes. Powerful stuff. 

    One odd exception: The company reveals that unlike default Safari on the iPhone the Chrome browser for Android can't be exploited by Pegasus? Weird. 
    edited September 2018 muthuk_vanalingam
  • Reply 16 of 24
    iOS 6? What year is this year?  :(
  • Reply 17 of 24
    gatorguy said:
    So it requires no physical access to the phone, entirely remote and OTA (altho the phone needs to be in the general area of the injection device but the distance isn't specified. Perhaps a bluetooth thing?), and self destructs if looking for it.

    It can turn on cameras and microphone and other services, read all emails and messages, and see all photos, files and passwords. Needs no "partners" to operate (ie network providers and such), beats encryption protocols,  leaves no traces of being used on the device, and totally transparent to the user. If OTA injection isn't available for whatever reason it can be physically installed on even a locked device in under 5 minutes. Powerful stuff. 

    One odd exception: The company reveals that unlike default Safari on the iPhone the Chrome browser for Android can't be exploited by Pegasus? Weird. 

    Funny how you seem to be able to glean all this information. Are you reading the same source article the rest of us did? Because you're making an awful lot of assumptions.
    magman1979
  • Reply 18 of 24
    gatorguy said:
    So it requires no physical access to the phone, entirely remote and OTA (altho the phone needs to be in the general area of the injection device but the distance isn't specified. Perhaps a bluetooth thing?), and self destructs if looking for it.

    It can turn on cameras and microphone and other services, read all emails and messages, and see all photos, files and passwords. Needs no "partners" to operate (ie network providers and such), beats encryption protocols,  leaves no traces of being used on the device, and totally transparent to the user. If OTA injection isn't available for whatever reason it can be physically installed on even a locked device in under 5 minutes. Powerful stuff. 

    One odd exception: The company reveals that unlike default Safari on the iPhone the Chrome browser for Android can't be exploited by Pegasus? Weird. 

    Funny how you seem to be able to glean all this information. Are you reading the same source article the rest of us did? Because you're making an awful lot of assumptions.
    GG reads many sources and it is a known fact for majority of the people (including the hard core Google haters) in this forum. He usually doesn't make assumptions as you implied. Surprised that you are not aware of it.
    gatorguy
  • Reply 19 of 24
    gatorguygatorguy Posts: 20,008member
    gatorguy said:
    So it requires no physical access to the phone, entirely remote and OTA (altho the phone needs to be in the general area of the injection device but the distance isn't specified. Perhaps a bluetooth thing?), and self destructs if looking for it.

    It can turn on cameras and microphone and other services, read all emails and messages, and see all photos, files and passwords. Needs no "partners" to operate (ie network providers and such), beats encryption protocols,  leaves no traces of being used on the device, and totally transparent to the user. If OTA injection isn't available for whatever reason it can be physically installed on even a locked device in under 5 minutes. Powerful stuff. 

    One odd exception: The company reveals that unlike default Safari on the iPhone the Chrome browser for Android can't be exploited by Pegasus? Weird. 

    Funny how you seem to be able to glean all this information. Are you reading the same source article the rest of us did? Because you're making an awful lot of assumptions.
    If you didn't see those mentions you're not reading it very carefully. Those are not "assumptions", they're claims being made by NSO, the company behind Pegasus and its sister Android exploit Chrysaor.

    EDIT: Ah, you're not looking at the leaked marketing doc, just the rehashed source referenced by AI. There's far more detailed info there. 
    But should you or anyone else worry? Very doubtful since a source connected to the company indicates it's in active use on 500 targets or less, altho NSO is just one of several services that offer much the same access to user devices like Sandvine, FinFisher, Hacking Team and others.  It's said to be a lucrative business, $650K to monitor just 10 iPhones, plus another half a $M in setup fees according to one client. 

    The company will reportedly change hands relatively soon from the Francisco Group to Verint in a $B dollar deal, tho Francisco will remain involved. 
    edited September 2018
  • Reply 20 of 24
    gatorguygatorguy Posts: 20,008member
    Rayz2016 said:
    That is one weird lede.
    Yeah it's really poorly written. It's referring to a subject ("the man") who isn't even mentioned before this except in the headline. Typically the headline isn't assumed to have been read and the lede and paragraph are self-contained. 
    Yes, looks like the first paragraph ended up in the wrong place and no one spotted it. 

     Can’t beat a quick proofraed
    :)
    king editor the grate
Sign In or Register to comment.