No, they use zero-day exploits in common media formats. The spy sends you a message containing an image or pdf, your device parses it, is exploited, and then removes the message, before there ever is a notification about it. You will never know that it ever happened.
I can't believe that all text messages aren't stored somewhere on the NSA (or equiv.) server (so it should be easy to quickly find the zero-day after a single attack). They probably just aren't motivated enough to expose the zero-days associated with it.
Do you really think that the NSA would be bound by sanctions? They’ll ping the Israeli government and ask for access if they need it and they won’t be turned down it would be just a matter of price.
The NSO isn’t a state run outfit outright but it has been used by Israel to score foreign relationship wins just like any other export and specifically arms export are used by other governments.
NSO is literarily the bargain bin option when it comes to SIGINT/COMINT, and for most of their clients they are pretty much the only option to get a high end targeted capability to compromise mobile devices.
iPhones still can send and receive an SMS, it’s also not particularly difficult to send an crafted iMessage, a lot of these exploits also chain multiple exploits so an RCE in a 3rd party messaging app with a sandbox/privesc on the local device.
And even without that if you get an RCE within the context of a messaging app you might be able to get most of what you need since you probably would be able to read / write arbitrary memory within the context of that process and interact with which ever APIs the app has permissions for which for messaging almost always includes microphone and camera and often location too.
The only thing you don’t get from running an exploit within the context of a single app is usually persistence but if your exploit can survive the app being suspended then as most people rarely reboot their phones you can get pretty long lived sessions too.
Contrary to popular belief, iPhones and Android phones have really poor security and new exploits are discovered all the time.
So a properly formatted text message is all that's required these days.
It's like in the dotcom days when 90% of the web was open to SQL injection.
You are right in that these attacks takes more skills or a little bit of money, so in that regard it's not the same.
But in multiple ways I think it's the same; like that it's obvious that security is still not a priority when building the software and that you as a user have to assume that the platforms are compromised.
No it’s not I don’t think you realize the skill gap.
There is no SQLmap for iPhones and a “Metasploit” for iPhones costs 10’s of millions and requires you to be able to negotiation contracts on a state level…
The amount of money and skill that is require to identify these vulnerabilities and develop them into functional exploits is pretty insane.
It goes well beyond what even basic RCE due to say unsafe deserialization in Java requires.
Anyone without any knowledge in programming could probably learn how to identify and exploit a SQL injection even without automated tools within days if not hours.
On the other hand even experienced developers look at something like FORCEDENTRY and can barely comprehend it.
Any reasonably complex piece of software will have vulnerabilities. In other words, vulnerabilities are not a variable for the security equation, they are a constant. When designing something, vulnerabilities will exist. Generally, vulnerabilities, on their own, are not a great indication of how security is prioritized internally in any company.
When security researchers report SERIOUS security bugs to the manufacturers, as happened again and again the last years, without them acknowledging or fixing them for many months then I think it's safe to say they don't really care about security.
You can go and talk about complex software and that vulnerabilities will always exists how much you want, but there is no excuse for these big companies to not fix major bugs like this within a week from when it's been reported. I don't care if that means that the developers have to postpone their fancy AI face recognition feature that will make your face look like an emoji. NO EXCUSES.
I actually wish NSO Group would sell their spying software to absolutely anyone willing to pay them money for it.
I’m not okay with anyone at all having it, so maybe if everyone could have it, the industry would have to get their shit together and actually patch the exploits.
Did you read about the ForcedEntry exploit? They implemented basically an entire emulator inside of one pass of an obscure PDF compression algorithm. It’s perhaps the most complicated hack I have ever seen by an order of magnitude at least.
Meanwhile, they take 30% cut from developers and force everyone to buy a new phone every year. Microsoft monopolization of Windows is a child play in comparison to this phone racket.
My iPhone 7 is a handmedown that I got 3 years ago. I see no reason to upgrade until it A) dies or B) stops receiving security updates, at which point I’ll probably just get another handmedown from someone who likes new things more than I do.
