from Hacker News

iMessage, Apple Music used by NSO Pegasus to attack journalist iPhones

by esens on 7/19/21, 2:28 PM with 168 comments

  • by 3pt14159 on 7/19/21, 3:22 PM

    I dated a journalist once. She used some random free app for phone calls because recording calls isn't built into iOS and she needed to record calls. I suggested a small device for her to plug her headphones through, but she declined.

    I'm sure there's a few journalists out there that take cybersecurity seriously, but I'd wager the vast majority are pretty trivially monitored.

  • by wolverine876 on 7/19/21, 4:19 PM

    > However, it is unlikely that Pegasus will be a problem for the vast majority of iPhone users. While the tool is used as intended against criminals by governments, the attacks against innocent people are seemingly against those who could be critics to a regime, including journalists and human rights activists.

    Attacks against the freedom of others and critics of government are a much larger threat to ordinary people than if they were surveilled themselves.

  • by coldcode on 7/19/21, 4:04 PM

    Just because it was only used to target journalists, supposedly, does not mean someone could not also target random individuals. I doubt NSO has such control over their customers that the uses can't be expanded to almost anything, like blackmail, theft and harassment.

  • by sneak on 7/19/21, 3:04 PM

    This coupled along with the fact that iMessage's E2EE has been backdoored by the non-E2EE iCloud Backup key escrow is a good argument for leaving iMessage, FaceTime, and iCloud all turned off on a device.

    I go one step further and leave the SIM card out, which means the SMS vulnerability path is closed too.

  • by nonameiguess on 7/19/21, 3:51 PM

    Apple needs to make it possible for users to choose other ways of sending and receiving messages and listening to music, or of choosing not to do either of those things if they don't want to. Obviously, you can currently install and use other applications that provide the same functionality, but you cannot uninstall or disable defaults.

    The most shocking experience to me in trying to evaluate the Mac ecosystem when they released the M1 and I bought a Macbook Air is being in meetings where I'm using bluetooth headphones, take the headphones off and put them back on, and music.app automatically opens and comes to the foreground of my desktop. There is no supported way of disabling this user-hostile anti-feature. I look on Google and StackOverflow and all of the suggestions for how to disable it dating back to 2014 or whenever no longer work. Apparently, the likely answer is turn off System Integrity Projection, reboot, rename or remove the file containing the application launcher, turn SIP back on, and hope that doesn't break anything else and hope Apple doesn't revert your changes on the next system update.

    That did not seem worth it. The fact that Apple Music can and has been used as an attack vector makes it even worse that it is so tightly integrated with the audio subsystem of the hardware as to take over your device thanks to movements you are making in the physical real world even when you may not be touching the device at all.

    I just can't understand what the thought process was in making this a default behavior, let alone one that cannot be disabled.

  • by comodore_ on 7/19/21, 4:38 PM

    there are apparently 50k names in that list, last I've checked they confirmed ~180 journalists are among them. spying on journalists is atrocious, but who are the other 49.800?

  • by skarz on 7/19/21, 8:02 PM

    I like the end of the article, he says "its concerning, but unless you happen to be a major critic of a government, you probably won't be a target of the spyware tool"

    Yeah, okay.

  • by j45 on 7/19/21, 4:40 PM

    I wonder if there is a way to disable iMessage and iTunes usage.

    With windows server I used to have a target of balance in any attack footprint.. if Microsoft provided the OS, the component services that the server exists to provide should always try to be third party software (db, web server, etc) to try and minimize one type of escalation vulnerabilities… while possibly opening up to another, hopefully less worse set of holes.

  • by max_ on 7/19/21, 3:28 PM

    Time for a cyber security focused smartphone?

  • by hugh-avherald on 7/19/21, 4:02 PM

    An intelligence agency cannot have the following properties simultaneously:

    (1) The ability to detect espionage from China and Russia (2) The inability to access journalists' phones

    If you want an intel agency to be able to thwart Chinese intelligence activities, you can't also publicly state you won't be looking closely into members of a profession who act a lot like spies.

  • by TravisHusky on 7/19/21, 8:20 PM

    I have never heard of MVT (Mobile Verification Toolkit) before this article, but now I may just have to test it out; seems like an interesting project.