Apple Updates iOS To Close Three Separate 0days That Were Being Exploited
from the throw-away-your-phone dept
As you may have heard, if you have an iOS device (iPhone, iPad, even iPod Touch) you should be updating your devices, like a few hours ago. Seriously, if you haven't done it yet, stop reading and go update. The story behind this update is quite incredible, and is detailed in a great article over at Motherboard by Lorenzo Franceschi-Bicchierai. Basically after someone (most likely a gov't) targeted Ahmed Mansoor, a human rights activist in the United Arab Emirates with a slightly questionable text (urging him to click on a link to get info about prison torture), a team of folks from Citizen Lab (who have exposed lots of questionable malware) and Lookout (anti-malware company) got to work on the text and figured out what it did. And, basically the short version is that the single click exploits three separate 0days vulnerabilities to effectively take over your phone in secret. All of it. It secretly jailbreaks the phone without you knowing it and then accesses basically everything.“It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls. It also basically backdoors every communications mechanism you have on the phone,” Murray explained. “It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram—you name it.”So that's great.
The researches believe they've tracked back the exploit to a secretive hacking company called NSO Group. The full Citizen Lab writeup on all of this is quite fascinating as well. They estimate that this exploit from NSO probably costs in the range of a million dollars on the market, though obviously it's closed now. That doesn't mean that NSO or others don't have other exploits up their sleeves.
The report also notes that this kind of exploit is probably just used by nation states right now, but there's nothing to say that it couldn't move down the stack before too long, letting all sorts of mischievous characters look to basically completely pwn your phone. Pretty scary stuff, and yet another reminder of why it's so dangerous that folks like the NSA are hoarding 0days, rather than revealing them, and that the FBI is trying to force tech companies to break encryption and other tools that are necessary to block these kinds of attacks.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 0days, exploits, hacking, human rights, ios, iphone, surveillance, vulnerabilities
Companies: citizen lab, lookout, nso
Reader Comments
Subscribe: RSS
View by: Time | Thread
Not all bad news
[ link to this | view in thread ]
"The researches believe they've tracked back the exploit to a secretive hacking company called NSO Group."
Did they mean NSA group?
[ link to this | view in thread ]
Re: Not all bad news
So unless your jailbreak plans include "avoiding the public internet" - I'm not sure it makes them more useful at all. In fact, it basically does the opposite - rendering them "unsafe for any use".
[ link to this | view in thread ]
Hillary
[ link to this | view in thread ]
Oh-Day?
[ link to this | view in thread ]
Re: Re: Not all bad news
[ link to this | view in thread ]
Re: Re: Re: Not all bad news
[ link to this | view in thread ]
[ link to this | view in thread ]
Money
to money, nothing else
matters. See Mr. Robot
[ link to this | view in thread ]
Re: Not all bad news
[ link to this | view in thread ]
Please use Zero-day or Zday
[ link to this | view in thread ]
Simple Answer
[ link to this | view in thread ]
Re: Re: Re: Not all bad news
[ link to this | view in thread ]
Re: Re: Not all bad news
I have many such devices.
Apple, on the other hand, doesn't cut their devices free - rendering them landfill-worthy at best.
[ link to this | view in thread ]
Re: Not all bad news
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Not all bad news
Support is up to the carrier. As you say, Google releases security and OS updates but it's up to the carriers to push them out. There are advantages and disadvantages to the Android ecosystem compared to Apple.
[ link to this | view in thread ]
Update,why and why not?
try for,such as 3D Touch, Voice mail transcription,Siri...
[ link to this | view in thread ]