Hacker News new | past | comments | ask | show | jobs | submit login
Pegasus spyware found on journalists’ phones, French intelligence confirms (theguardian.com)
404 points by shivbhatt on Aug 2, 2021 | hide | past | favorite | 97 comments



"Bredoux added: “It takes a bit of time to realise it, but it’s extremely unpleasant to think that one is being spied on, that photos of your husband and children, your friends – who are all collateral victims – are being looked at; that there is no space in which you can escape. It’s very disturbing.”"

Welcome to the future! It's pretty much the same as the past, only more effective.


This is why we need competent people at EU level and national governments. The current leadership is very much in favor of such surveillance. In Germany, it is even large parts of the press, which is pretty damning given their profession.


A depressing thought experiment a professor once posited many years ago....Hitler comes to power in the internet era and now has state of the art tools to find people of certain traits, vs manpower and spies to discover them. Ability to go through your entire lives digital footprint. Every picture. Every video you've created, or viewed on a website. Every location you've visited, how long you were there, and who was around you. Everything you've ever searched. Everything you've ever purchased. Every contact you have. Content of email, text, phone calls, etc. All keyword searchable with beautiful charts and graphs showing how you relate to everyone you've ever come into contact with.


It's pretty much what we have in China now.


To the positive spin for China, they tend to target only their fellow citizens and have some internal coherency and moral. NSO is an Israeli national problem that sells the spying capabilities to the highest bidding crook dictator around the world.


> To the positive spin for China, they tend to target only their fellow citizens and have some internal coherency and moral.

This is a terribly disturbing comment to me, who cares that they "tend to only target their citizens?"


If I had to choose, I'd go with China, at least they believe in something.

NSO looms like modern version of mercenaries, selling 'raid and pillage as a service'. It's like spanish conquistadors, kill and steal anything law does not protect.


> positive spin for China

> moral

Which moral?


There are programmes doing this in the West as well.


We have all that, just without Hitler in power. At least in the US anyway, the government has access, should it become necessary, to a comprehensive catalog of your activities and communications. It's just that they should get a warrant before accessing it, which I'm not naive enough to believe that they do in all cases.

The ship already sailed on the whole "ubiquitous gaze" thing.


> I've heard quite a lot of people that talk about post-privacy, and they talk about it in terms of feeling like, you know, it's too late, we're done for, there's just no possibility for privacy left anymore and we just have to get used to it. And this is a pretty fascinating thing, because it seems to me that you never hear a feminist say that we're post-consent because there is rape. And why is that? The reason is that it's bullshit.

> We can't have a post-privacy world until we're post-privilege. So when we cave in our autonomy, then we can sort of say, "well, okay, we don't need privacy anymore, in fact we don't have privacy anymore, and I'm okay with that." Realistically though people are not comfortable with that. Because, if you only look at it from a position of privilege, like, say, white man on a stage, then yeah, maybe post-privacy works out okay for those people. But if you have ever not been, or if you are currently not, a white man with a passport from one of the five good nations in the world, it might not really work out well for you, and in fact it might be designed specifically such that it will continue to not work out well for you, because the structures themselves produce these inequalities.

> So when you hear someone talk about post-privacy, I think it's really important to engage them about their own privilege in the system and what it is they are actually arguing for.

-- Jacob Appelbaum, http://www.youtube.com/watch?v=Y3h46EbqhPo&t=7m46s


I know Lenaïg since I’ve been working at Mediapart a few years ago. I feel sorry for her. We were very careful on all security aspects, and it’s sad to see it’s never enough.


Ironically, users themselves are disallowed from rooting their phones.

Right to root, is right to repair.


I'm all for having the right to repair.

I'm not convinced any of the folks involved ability to root would prevent the situation described.


If you could safely (on the hardware level) replace image of the phone with another, it would be easy to guarantee that you can get a rootkit-free phone - all you need is a trusted image.


The Pegasus thing didn't even survive a reboot, it was reinstalled by using the 0-day again on a fresh boot. Replacing the image would have done nothing if they were flashing a version that still had the iMessage vulnerability.


But if that imessage vulnerability was FOSS and you could flash your own image, you could fix it and move on with your life.


>But if that imessage vulnerability was FOSS and you could flash your own image

1. the vulnerability wasn't FOSS. It was kept under wraps because otherwise it would get discovered and apple would patch it

2. what makes you think that amateurs working in their free time can patch 0days faster than the vendors themselves?


Because these "amateurs" build all the essential tools we rely on today. That wasn't Apple. I cannot really believe what crap I have to read here. Vendor lock in is a huge factor for insecurity in software.


Amateurs behind what essential tools? Tell me a tool and a name. I've been thinking hard for 10 minutes and every FOSS tool I used the past week has highly regarded and well payed professionals behind it.

Maybe in 1995 it was like that, it's not now.


It's not yet even possibly to reliably detect the infection because of the closed nature of the device.

I think I'd like to check my iPhone, but I can't reliably do that.

So that, for a start, would help.


>I think I'd like to check my iPhone, but I can't reliably do that.

but you can, via itunes backup.


Reading the dump? That isn't nearly as effective as giving users the ability to administer their system. That is in no way an alternative.


its not like there are no security vulnerabilities in FOSS apps either


No, but when they appear, _you can fix them_.


Are there actual hard numbers on whether open-to-all-eyes is beneficial at all scales?

For example, do public eyes actually catch and did more Linux bugs than three letter agencies? And would this situation be worse if Linux were a very well funded, closed source Windows?

I’m ignorant on whether the open source security mantra is founded upon religion or evidence.


Classical FUD.

> For example, do public eyes actually catch and did more Linux bugs than three letter agencies?

Is it so important, who found a bug? TLA can find a bug, and then it has a choice: TLA can use it to spy on other countries, or TLA can fix it to protect their own country.

Your TLA may choose to leave your country unprotected, but it is the problem of your country.


Sorry, not an attempt at FUD. As I wrote, I’m entirely ignorant on whether there is hard evidence one way or another on the topic.


Although they do contribute, believing three letter agencies wouldn't try to leave backdoors is certainly the former.


> it would be easy to guarantee that you can get a rootkit-free phone

The problem in this case is that you get the malware installed through a no-click required iMessage and not a "supply chain" attack on the image your phone is running on. How would that help?


It could help by simply being sufficiently different. The only reason this type of malware is such a widespread problem is the large monoculture of potential targets. Just like in agriculture (e.g. potatoes, bananas), a monoculture allows a single pathogen to affect an entire crop. In security this is a class break[1].

Utilizing different software implementations limits the scope of this type of attack. The current trend to increasing centralization and forced-update monoculture is a huge gift to malware authors: they only have to write one version of their malware to affect everyone.

[1] https://www.schneier.com/blog/archives/2017/01/class_breaks....


This is a good principle in terms of reducing the overall blast radius of exploits. But to do this the implementations should genuinely be independent.

In practice we may find a monoculture within a hidden layer of the stack than we're optimizing for, such as an OS kernel method, TLS library or chipset which coincidentally has captured the entire market. When a clever enough exploit on a common resource is found, then the problem transforms to one of coordinating patching for the same, wherein a broad ecosystem of higher level components (like Android or PCs) becomes nearly impossible to thoroughly cover. As such malware authors may potentially still get away with writing a single version of their software so long as they target low-level enough. With sufficient fragmentation they don't even need to invent their own exploits, just use publicly known CVEs that they can brute-force against older devices.

(Not saying you're wrong, your recommendation may still be better in the long-run. We're after all weighing the risk level of black swan events, such as a zero-day on a low level of the stack, or a high level of the stack on a high-volume vendor)


On the flip side, having a monoculture is good because you made more eyes looking at the same piece of code.


How many people have seen the iMessage source code? A handful of devs at Apple? Closed, proprietary software by definition prevents "more eyes" from looking. Even if we consider an open source product where having "many eyes" review the code is at least hypothetically possible, a large number of people using the software doesn't imply there is also a large amount of people reviewing it.


>Closed, proprietary software by definition prevents "more eyes" from looking

But we were talking about the general case of monoculture, not closed source monoculture. Even for closed source software, where more eyes are prevented from looking "by definition", having a monoculture can in theory allow more code audits to be done, because of economy of scale.

> large number of people using the software doesn't imply there is also a large amount of people reviewing it.

Right, but roughly speaking, the number of reviewers should monotonically increase given an increase in users. Whether that produces better security overall is anyone's guess. My point was just that there was a counteracting force to consider.


The argument isn't that granting more freedoms to the owner of the device will magically make it more secure in all cases, for most it won't.

The argument is that removing freedoms from owners in the name of security is a false dichotomy because bad actors will still gain the ability to execute arbitrary code whilst owners of devices won't be able to do so.

Also, if I could provide the software I want to run, I'd probably not have iMessage.


It would help because knowledgeable people would get to pick what software they run on their phones and iMessage probably wouldn't be on the list.


Journalists (as here) don't usually get to choose the communication software their sources are comfortable communicating over. They install whatever's required to get the story. And they likely wouldn't install an OS that doesn't let them install such apps.


That's a niche use case. You might not be able to choose what app they require to communicate over, but you can choose what device to install it onto, like a burner, couldn't you? Some apps you might not mind on your personal phone, others you probably do.


Well, yes, but if you think about it, the whole point of a journalist's work phone is just to aggregate a bunch of "burner" accounts. And that's exactly what an attacker would want to steal from a journalist: conversations between them and (or contact details of) another source.

Which is all to say, ideally a journalist would have N phones, one per source. But that's impractical.


Would it? Wouldn't you still need privilege escalation? Having root access is different from being logged in as the root user. Of course being logged in as root comes with all the same security risks as it does if you do this on Linux. But no one uses root as their main account.


You could replace the image with software that doesn't support iMessage, for example.


> all you need is a trusted image

I bet you, that image will be provided by the trustworthy people from NSO, free of charge or at a price! Whatever makes you trust their image.

IMHO devices should be root-able but with high barriers of entry, something like soldering should be involved. If you are after doing something that you don't understand but a stranger on the internet told you to do it you shouldn't be able to do it.

I just want to remind you that quite recently a few police agencies come together, built a "secure messaging app", fed it to the criminals and tracked all their communication until gather enough information to take down their entire operation.[0]

Or the time when CIA run a Swiss encryption company[1]

[0]https://news.ycombinator.com/item?id=27429311

[1]https://news.ycombinator.com/item?id=22297963


So according to you Linux is compromised?


The point is, you wouldn't know unless you have complete understanding on every aspect of your device and every bit of the software.

Nobody would be installing a Linux kernel and use the phone like that, they would be installing a distro. There are so many vectors of attack, the person who puts the distro together doesn't need to have malicious intent, the supply chain could be compromised.


Probably not intentionally, but there are likely a bunch of 0-day exploits we don’t know about.


You know, it's getting so big and warty that I'd be surprised if it wasn't.


I think it would have, because the primary attack vector is your messaging app. Some Android phones, such as mine, are locked in such a way that this cannot be uninstalled. I can use another messaging app but this one will still run on my phone which means that it can still be exploited.

Unfortunately, the only way to secure my phone because it no longer receives updates is through rooting, but this phone is not a model that can be rooted so my plan is to buy a new phone and root that, and probably remove all text messaging apps or find a way to sandbox them in a secure environment.


It would give you the ability to check at least. Not having root doesn't protect you evidently.

Smartphone landscape of software is a huge failure aside from monetization of apps and user data.


If anything, it would likely make it worse, since you'd now have "convincing the user to install your payload", recreating the phishing problems of desktop platforms.


The device would have to be treated as inherently untrustworthy, like your laptop or a PC in a cafe or library. That is unlike the (Edit: false) current expectation that the hardware and OS of the device are a trusted platform.


Once the system is compromised the best repair is a full reset (and even better swapping the device, not that the restore image has been tampered with ...) root powers are needed for analysis. But that's nothing a normal user can do ...

But on the larger point: I agree there should be an option for suers to replace firmware and become root. But limiting root access makes work for Pegasus and others harder, which is good.


> But limiting root access makes work for Pegasus and others harder, which is good.

It's not enough to "make it harder", to actually know whether it's a useful mitigation you would have to compare how much harder it makes it compared to what inconvenience it caused for that. Pegasus has no problem getting root right now. I strongly suspect they have a built up hoard of 0-days to apply in case the current faorite technique is patched (how else could you make a business out of it? If you're running a business you can't allow some other party to control your main product).

So, how much does limiting root access hurt Pegasus? Very little, IMO. A case could be made that it helps them, in the same way that excessive regulation helps large companies, which already have resources and experience dealing with it that smaller companies must overcome to enter the market. Pegasus, and the ability to hack into phones on-demand, may have been largely hidden from the public because it was relegated to a few large players.

And what does everyone get for this? Vendor lock-in, higher prices, less control over your own devices.


>users themselves are disallowed from rooting their phones

What? how's that possible?


In practice, not by law.

Or at least often not by law, there are some stupid laws around WiFi/broadband etc. which can be interpreted to state that it's not allowed for a phone to be sold which can be rooted (without a hack) as the user could use it to setup a WiFi hot-spot which uses non-legal frequencies. This law was made because supposedly that (with routers) is a problem, except it isn't as far as I know and it as pure lobby work from a certain industry which also loves the user to be forced to use their routers.

(PS: Also country dependent.)


I have seen some manuals were released and some tools reverse engineered. What is currently the best link for a deep technical overview of how these tools work/worked?


As I did not get any replies I share what I found. If anybody has better or more detailed resources, please be kind and feed our curious minds:

"Technical Analysis of Pegasus Spyware"

https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegas...

"Pegasus Spyware"

https://en.wikipedia.org/wiki/Pegasus_(spyware)

"The Million Dollar Dissident"

https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...


Taki taki, beratna!


Im ta nating!


So basically it can install itself after clicking a link in a web browser.

I know it's very hard but could the browsers be improved so that something like this is virtually impossible?


"Forensic Methodology Report: How to catch NSO Group’s Pegasus"

https://www.amnesty.org/en/latest/research/2021/07/forensic-...


Well, I thought it was only terrorists that were targeted?


One man's journalist is another man's .... ;-)


And the same invariable lie is always used, "oh, don't worry, we're only going to use this against the bad guys". Bad guys only exist in a world without nuance.


bad guy is a just not a term that should be trusted when coming from politicians at this point. "bad" is an opinion in the sports of politics and power, because they are worried about their own hind end, not that of the state at large.


Exactly. 'Bad' and 'terrorist' is just the word play decision of some politician who surely does not have your best interest at heart.

People are really getting fed up with being lied to on a constant, grand scale.


Terrorists, journalists, only a few letters are different.


Yes, just a word edit distance of 13 (6del, 7adds).

It's the same distance as changing <Freedom> to <Dictator> ;=)

EDIT: Yes I miscalculated, I overlooked the r.


Such trivialities do not matter in a TRULY FREE country, and please look over here, not over there.


Edit distance, sedis shun'ist. They are all ists; what more do we need to know?


NSO customers' definitions of terrorist may not align well with yours.


everyone is a potential terrorist under imaginary laws


A lot of the current world news strike fear into its readers. Surely that is some kind of terrorism.


Slight OT: the malware indicators of compromise that Amnesty International released have no license, thereby prohibiting use in other projects as far as I understand.

https://github.com/AmnestyTech/investigations/issues/11

If anyone can help on that front it'd be much appreciated.


IANAL but arguably, those indicator files are merely lists of information, and therefore are not subject to copyright. They are not, on their own, a creative work.

https://www.nolo.com/legal-encyclopedia/types-databases-that...


But that page says things like "[when] no judgment is needed to decide which names and addresses should be included". Surely somebody decided what are the things for a classifier to look for, and that would be a creative decision?


Again, IANAL, but a decision whether to add a domain or email address to one of these lists is not a creative decision, it's a mechanical boolean decision. It's a matter of fact, not of creativity or subjective inclusion. The regex pattern they used might be an example of a creative work, but the list of matches is probably not.

In the same sense, recipes are not copyrightable. The thought that goes into composing them may be creative, but the list of ingredients itself is not subject to copyright.


If I were a journalist I'd almost feel insulted if I or at least my organization hadn't been targeted.


How would I factory reset and then cold boot my phone?

I'm very noob wrt firmware and rootkits and even CPU microcode. My understanding is some kind of factory reset is no longer feasible. And certainly no longer verifiable.

--

Ages ago, I proposed that electronic voting machines (tabulators) boot from CD-ROM. Device's ROM would only have bare minimum boot loader. Imagine some super minimal embedded controller, zero unnecessary features. Mount a CD, run the optical scanner, a few buttons, 2 line LCD panel, dot matrix printer.

Assume 2000s best practices election administration. Scantron style ballots, precinct-based poll sites, tabulation occurs the moment polls close, tabulated results posted publicly.

These CD-ROMs would then by secured, as much as possible, thru physical chain of custody. Just like all other election artifacts. They'd also contain snapshot of entire source and toolchain and election data, so any one could inspect them, reproduce the builds, verify the dataset, etc.

My jurisdiction had 100s of poll sites. Instead of programming each ballot scanner, they'd burn CD-ROMs.

Any way.

I mention this because I think such simplistic view of secured computing is no longer feasible. And to consider all the things we'd have to give up to return such a world.

Could I put a phone's entire dev stack onto some WORM media and then reimage the device? What would that even look like?


You can't really be sure about your device, even after a supposed reset. Lenovo, for one, had a way to reinstall its bloat/spyware on its laptops, even after you reinstalled Windows yourself.

https://en.wikipedia.org/wiki/Lenovo#Lenovo_Service_Engine


Is there no regulatory or compliance requirements for surveillance software?

Instead of blaming the victims of pegasus, we should focus our attention on the lack of actions from key policymakers and regulatory bodies. It is not possible for every individual to be a technical expert when it comes to malware removal, but we can reduce the likelihood of misusing surveillance software by creating an ethical framework around it, backed by nations that value freedom and democracy.


I agree that laws are the right way to deal with this - there will always be another vulnerability for bad actors to exploit; technical solutions are not the answer unless you want to move your smartphone at the pace and rigor of the Apollo program - but I three real challenges here:

1. If NSO enjoy the tacit support of the Israeli government, then they are effectively judgement proof, no different to crimeware businesses that enjoy the tacit support of the Russian government.

2. Major Western governments such as the US will support the Israeli government for "bigger picture" reasons, and potentially implicitly the NSO. Particularly if the NSO are "only" facilitating the torture and murder of journalists who upset the Saudi government. So again, whatever national laws or international agreements may be in place don't really matter. Much as you'll never see a Blackwater mercenary in front of the war crimes tribunal in the Hague, you'll never see the NSO charged anywhere.

3. More broadly, there have been solid international frameworks for cracking down on, for example, money laundering. The AMLAT treaties are quite effective for money laundering, not so much for finance of terrorism. No nation outside of Canada has designated ISIS-like organisations as terrorists, subject to finance controls, for example. Trying to get an effective, multilateral agreement on how to handle tools that many governments want cheap access to in order to attack their enemies will be quite the challenge.


> Is there no regulatory or compliance requirements for surveillance software?

Nope! It's not even clear if Pegasus and its employees broke any laws. (Though I would love to see CFAA and copyright law tested against this.) Optimistically, this might be the wake-up call to change that.


IANAL but lots of countries have laws against gaining access to computing devices or data without prior authorisation.



We have a lot of laws against dragnet surveillance. They didn't help at all as there is no consequence of breaking them.

Even if they are found guilty, policy makers have noticed that this too hasn't any effect at all. They just need to craft an exception et voilà it is allegedly legal.


Not having your system locked down would be the first problem that needs solving if you want to combat malware.

Forget regulatory compliance, we didn't get safe http traffic or disk encryption by listening to policy makers. That isn't a general indictment, they just are too slow and their motivation is compromised on the topic of surveillance.


To me, it would seem that this kind of software trips over all kinds of European laws and directives. Hell, it probably trips over all kinds of wiretap laws in the US.

Is it that nobody is filing these or just that the revelations are too new and that the lawyers are just beginning to spin up?


but remember, NSO is just doing the dirty work that needs to be done /s

They're knowingly selling to untrustworthy organizations knowing they'll be used for criminal purposes. They're criminals, and should be treated as such.


Yeah. They are like unlicensed gun sellers who have a surprised pikachu face when that gun turns up in a murder investigation.


I wonder what would have happened to windows phone/lumias if things had turned out differently.

I also wonder if there was something like that when windows mobile was on the market.


I imagine NSO would have developed WinMo exploits and ported their implants to Windows Phone. They'd pretty much reuse the same C&C servers, and their clients would target those phones just as they do for iPhone and Android.


I’m not sure why it would be any different.


Could a pegasus infection be detected with something like Litte Snitch or Lulu for iphones, in my mind, it'd be suspicious if some application was sending gigabytes of data over the wire


So it was the French. /s


RFI and France24 did some reporting a few days ago how everyone from activists to journalists were targeted, see: https://www.france24.com/en/technology/20210718-private-isra...


Is there a way to check Android devices for infections yet?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: