Stop and UPDATE your iPhones to iOS 14.8 NOW!!! We @citizenlab recovered NSO Group's FORCEDENTRY zero-click exploit (CVE-2021-30860) from the phone of a Saudi activist, and shared w/ Apple, who released iOS 14.8 today with a fix.
(1) @AmnestyTech saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at @citizenlab also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.
It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain't solving.
NEW: Kaspersky releases full details on how they captured the “Triangulation” (suspected US Government) exploits and iPhone spyware targeting their employees. securelist.com/operation-tria…
NEW REPORT today from @Reuters @JoelSchectman providing more detail about fatal flaws in the CIA's defunct communications network. Iran and China compromised the network in 2011, and killed dozens of CIA assets reuters.com/investigates/s…
Phone logs show that (at least some of) the iOS 13.x and 14.x zero-click exploits deployed by NSO Group involved ImageIO, specifically the parsing JPEG and GIF images. ImageIO has had more than a dozen high-severity bugs reported against it in 2021.
BlastDoor is a great step, to be sure, but it's pretty lame to just slap sandboxing on iMessage and hope for the best. How about: "don't automatically run extremely complex and buggy parsing on data that strangers push to your phone?!"
Here are some instructions we released (in Arabic and English) on how to check if your phone was targeted by KINGDOM, the Saudi-linked operator of NSO Group's Pegasus spyware.
Wow... Kaspersky apparently managed to obtain an iOS kernel exploit from the #Triangulation attack! Just patched as CVE-2023-32434 in iOS 16.5.1. That's pretty much "as good as it gets" in terms of capturing an exploit chain.
New @citizenlab report "BREAKING THE NEWS", in which we show how New York Times journalist Ben Hubbard was hacked with Pegasus twice (July 2020 and June 2021), both after he complained to NSO about previous hacking attempts against him
Wow! NSO seemingly failed to password-protect their server hosting oodles of location-tracking data from their pandemic-fighting (read: mass surveillance) Fleming system. Exactly the kind of breach you don’t want when your core business is secrecy...
Because the 0-clicks they're using appear to be quite reliable, the lack of traditional "persistence" is a feature, not a drawback of the spyware. It makes the spyware more nimble, and prevents recovery of the "good stuff" (i.e., the spyware and exploits) from forensic analysis
Wow... The UAE and Saudi governments have gotten so much data from hacking phones with NSO’s Pegasus spyware that they don’t know what to do with it all. So, NSO has hired Israeli military veterans to help them. Blockbuster report from @Haaretz. haaretz.com/israel-news/.p…