Another Pegasus-like spyware tool called 'Reign' was used to spy on iPhones
Echoing NSO Group's Pegasus debacle, another spyware tool that could attack the iPhone was sold to governments, and has only now been discovered.
Spying software is often used by security agencies and governments to monitor individuals of interest. This was most famously demonstrated by the discovery of Pegasus, spyware by NSO Group that was sold and used to spy on political opponents, activists, and journalists.
While the Pegasus discussion has died down, it seems that NSO Group wasn't the only organization selling tools capable of surveilling an iPhone to interested parties.
A report from Citizen Lab based on analysis of samples shared by Microsoft Threat Intelligence revealed the existence of a spying tool that was very similar to Pegasus in many ways. Known as "Reign," the spyware by the Israeli company QuaDream offers ways for governments to, again, keep tabs on their potential opposition.
Much like Pegasus, Reign has been sold to governments including Singapore, Saudi Arabia, Mexico, and Ghana. It was pitched to others including Indonesia and Morocco.
The tool has also been used in at least five cases. To date it has been used against political opposition figures, journalists, and others in North America, Central Asia, Southeast Asia, Europe, and the Middle East.
Once installed, Reign had a considerable amount of access to the various components of iOS and iPhone features, much like Pegasus did. This included:
The firm is also in a legal dispute with InReach, a Cyprus-based entity used to sell QuaDream's products outside of Israel. The dispute, over an apparent failure to transfer funds in 2019, helped researchers discover more about the companies, including their officers.
QuaDream is believed to have "common roots" with NSO Group, according to Citizen Lab, along with other companies within the Israeli commercial spyware industry, as well as intelligence agencies within the Israeli government.
Among the key individuals is a co-founder who was a former Israeli military official, and former NSO employees.
Citizen Lab says the report is "a reminder that the industry for mercenary spyware is larger than any one company, and that continued vigilance is required by researchers and potential targets alike."
Read on AppleInsider
Spying software is often used by security agencies and governments to monitor individuals of interest. This was most famously demonstrated by the discovery of Pegasus, spyware by NSO Group that was sold and used to spy on political opponents, activists, and journalists.
While the Pegasus discussion has died down, it seems that NSO Group wasn't the only organization selling tools capable of surveilling an iPhone to interested parties.
A report from Citizen Lab based on analysis of samples shared by Microsoft Threat Intelligence revealed the existence of a spying tool that was very similar to Pegasus in many ways. Known as "Reign," the spyware by the Israeli company QuaDream offers ways for governments to, again, keep tabs on their potential opposition.
Much like Pegasus, Reign has been sold to governments including Singapore, Saudi Arabia, Mexico, and Ghana. It was pitched to others including Indonesia and Morocco.
The tool has also been used in at least five cases. To date it has been used against political opposition figures, journalists, and others in North America, Central Asia, Southeast Asia, Europe, and the Middle East.
Zero-click and devastating
Binaries scanned by the team reveal the spyware was deployed to target devices by using a suspected iOS 14 zero-click exploit, including against iOS 14.4 and iOS 14.4.2. The exploit, which researchers refer to as "Endofdays," used invisible iCloud calendar invitations sent to victims.Once installed, Reign had a considerable amount of access to the various components of iOS and iPhone features, much like Pegasus did. This included:
- Recording audio of calls
- Recording the microphone
- Taking photographs using cameras
- Exfiltrating and removing items from the Keychain
- Generating iCloud 2FA passwords
- Searching through files and databases on the device
- Tracking the device's location
- Cleaning up traces of the software to minimize detection.
A continuing privacy danger
QuaDream continues to operate. It managed to avoid being discovered for a considerable period of time because of efforts to avoid scrutiny.The firm is also in a legal dispute with InReach, a Cyprus-based entity used to sell QuaDream's products outside of Israel. The dispute, over an apparent failure to transfer funds in 2019, helped researchers discover more about the companies, including their officers.
QuaDream is believed to have "common roots" with NSO Group, according to Citizen Lab, along with other companies within the Israeli commercial spyware industry, as well as intelligence agencies within the Israeli government.
Among the key individuals is a co-founder who was a former Israeli military official, and former NSO employees.
Citizen Lab says the report is "a reminder that the industry for mercenary spyware is larger than any one company, and that continued vigilance is required by researchers and potential targets alike."
Read on AppleInsider
Comments
Have you ever considered the fact that yearly major updates are part of the problem?
We are talking major, zero click exploits here. They should be fixed within the same lineage. They are bugs after all.
Major updates on a yearly cycle are beyond most companies. They introduce deadlines that cannot be met reasonably. Apple is no exception and code quality has probably suffered badly over the last decade even with the improvements. Only Apple can know for sure but external evidence points to some very buggy iOS releases.
Trying to flip the tortilla by saying it allows Apple to eliminate crud doesn't resolve the problem.
I've seen some drafts from the EU which cover software support in an upcoming directive. If approved as is, device manufacturers will have to state on the box how long software support will be and the EU will set a minimum. Software/firmware updates that add new functionality will be user reversible as will updates that reduce performance.
It's worth pointing out that in terms of security updates Apple is pretty good at getting solutions out but making them part of major updates has always been a problem. It is by definition because major updates introduce major plumbing changes. Apple also took way too long to introduce bug bounty programmes.
Getting rid of crud is a major improvement, not a minor. There has been many bugs that have been exploited due to old software, even old open source software. Part of the problem is old software was built with old tools that didn’t enforce variable types and other methods that reduce potential problems which increases security. People didn’t program with an eye toward security as much. People didn’t think of security as much so long ago.
Implying 'I don't know for sure how buggy Apple’s coding is so I can't have a relevant opinion' doesn't alter what I am saying.
Major yearly updates are definitely part of the problem. Complexity is another. From API's, general frameworks, compilers, security etc.
ALL security frameworks are based off decades old security models. I'm not sure why you say people didn't code with an eye for security. Operating systems have had security as a major foundational objective for years. App development using OS APIs can have bugs but at worst you know they should not impact security at a deeper level. We obviously understand that bugs can punch big holes into security but uninstalling an app is easy. That isn't really possible at OS level.
The shorter the development process, the more likely bugs will be present. The development process itself is a balancing act of bugs vs usability, threat vs risk, cost vs performance etc.
I haven't seen Apple’s security model so I don't know what goals or level of certification it aspires to but for modern operating systems we can consider that basically moot unless they actually have a formal design review and testing process as part of it. That is unlikely given the outward facing nature of its operating systems in the consumer realm. I imagine Apple aspires to something like B2/EAL-5.
Software gets released with 'known issues' as a result. It is also released with unknown issues, some of them are potentially disastrous for security. Lack of development time (pushed by deadlines) means lack of testing, lack of security research etc.
Yes, there are trade-offs involved in bringing software to market but zero click security issues should always be fixed on the original lineage and the mere suggestion of fixing something as part of a major upgrade should be scoffed at. Yes, that is only my opinion.
The problem is that with yearly major update cycles there is a huge reason to do just that.
Your whole idea that these major release is higher in bugs due to short timeframe, fails just upon none of really knows how long Apple spends on these major releases, prior to even announcing them at WWDC. Further, you are missing the tools to check for bugs, and the underlying language are not the same as decades ago. Part of the selling point of Swift is that Swift is a safer language. You can have whatever opinion you want, but you cannot point to anything where these Major releases are a problem more than the point release that Windows or Linux does. Rarely does a week go by that my Linux box have some update. Point updates still have major problems and you can't acknowledge that. Security updates are have to be short deadline, does that mean they are buggy too?
There is no proof that the major releases force a short deadline, and thus bugs because we have no idea how much time Apple actually spends prior to WWDC. Further we have no idea if Apple moves to point releases, that will actually reduce the amount of bugs.
The 'when' part only serves as an indicator of potential exploits and how far they go back in lineage. A bug that is found soon after release and patched is less likely to have exploits. Obviously the sooner that happens, the better.
As far a length of time of development before going live is concerned, as I have already said, only Apple can know and that is something that is tied to too many variables to know for sure.
The best indicators are the bugs themselves and how Apple acts to find and squash them.
Here is where we have something to go on and yes, IMO, a yearly major upgrade cycle will always leave them less well protected.
We also know that until relatively recently, Apple wouldn't let many people see the code for long enough to catch bugs, big or small before release. There have been some very embarrassing bugs over the years that suggest literally no one checked for certain things. Some bugs have led to data loss. Those errors were representative of very sloppy protocol implementations. Some as simple as running through a checklist.
It took way too long to get into the bug bounty arena and even when it announced a programme there were complaints about implementation and transparency.
It is typical for Apple to sit on user facing bugs in its apps (that pose no security) threat for literally years. Some never ever get fixed. I've been bitten by some of them.
Things like Pages would get released, soon after there would be a bug fix release and maybe another but absolutely no real development after that. You were on your own to work around them.
Why was this? We know the answer.
The people doing the cooking were being moved around to other projects. Then, when it was time for a big Pages update, people would be brought in again for new features and a rinse, repeat of the whole process.
We also know this happens at an OS level. That of course is inevitable but if you are working to short cycles, bugs will be more probable.
Some extremely stupid OS bugs never fixed. When Apple introduced smart folders and smart searches (I can't remember the official English names as my system is in Spanish) I took advantage to create a lot of smart search items. It was painstaking but worth it as I expected system level support rather than depending on Apple's apps which are notorious for changing (losing functionality) or simply getting killed.
How wrong I was. The very next major system update broke everything. The cause? Someone in localisation had translated some strings that they shouldn't have. Devastation ensued. It never got fixed.
Here is a hitch potch collection of commentary but just from a quick Google:
https://securityboulevard.com/2021/09/apple-security-is-garbage-change-my-mind/