An Israeli company, the NSO Group, that sells hacking solutions to governments to allow them to access people’s tech, has found a way to get around iOS security. So if you’ve got an iPhone or an iPad or anything else running iOS, go to settings and software update and download and install the patch that Apple pushed out yesterday!
Reader Interactions
62Comments
Comments are closed.
Major Major Major Major
And a shout-out to Apple for patching this super fast!
Mary G
You big-footed Walter. Bad Adam.
Punchy
So my Apple IIc is still vulnerable? Bastids.
Major Major Major Major
@Punchy: Nah, anything air-gapped is safe.
middlelee
My iPhone is used for texting and phoning only. Is it still vulnerable?
debbie
@Major Major Major Major:
Air gap?
MattF
@middlelee: I think texting has one of the vulnerabilities being patched. Anyhow, I just did the update. Usual deal, through iTunes.
singfoom
@middlelee: Yes. Update it to 9.3.5.
Major Major Major Major
@debbie: A computer that isn’t connected to a network.
There are of course ways around it.
Fake Irishman
@debbie: It has no connections to a network.
NonyNony
@debbie: “Air gap” is fancy techie talk for “not connected to the Internets”. Cause there’s a physical separation between the Internet and the machine.
Back in my techie days we also referred to computers that were connected to the “Sneakernet” – as in you had to walk over to them with a disk if you wanted to transfer a file off of them.
Major Major Major Major
@middlelee: @MattF: Anything that might link you to anything. So text, email, web, apps, honestly there’s probably even a way to do it with tone dialing on a phone call.
singfoom
If anyone is interested, here’s the context behind the vulnerability: It was all for the UAE to spy on one human rights campaigner.
The choice quote from the post:
Citizen Lab Link
? Martin
Two points:
1) This is a targeted attack. There’s no evidence anyone has tried to mass infect devices using this exploit. It’s the kind of thing that governments use to target individuals (the target that revealed the malware was Ahmed Mansoor). It’s a very fortunate fluke it was even caught, and exploits like this are exposed to very few targets specifically to prevent them from being discovered and patched. Apple should make a sizable donation to Human Rights Watch and Citizen Lab in return.
2) Apple has shut down key components of this malware remotely even without the patch. It’s not a full fix, but Apple has the ability to remotely disable code execution in situations like this. Basically every piece of code that runs on iOS needs to have a key that allows it to run. Apple can revoke that key so the next time your phone checks in with Apple, it’ll mark that code as unable to execute. What the patch does is close the holes that allowed the code to be loaded onto the phone in the first place.
This particular exploit probably cost a few million dollars to acquire. Zero day exploits for iOS typically run about $1M on the open market, depending on what they can do (I understand the NSA is the largest buyer of these exploits). This particular combination was pretty much the worst case scenario for Apple to have to deal with – it exposed the entire device. The good news is that it’s too valuable for some Russian script-kiddie to get ahold of and cause mayhem with. This was reserved for governments to do spycraft. A lot of government agencies around the world just lost an important tool to them (too bad, so sad).
Adam L Silverman
@middlelee: Yes.
Baud
@singfoom: I’m thankful human rights defenders are too elitist to use Android.
eversor
@major
Except there was nothing fast about this. The bug has been around for years. The fix they pushed out was delayed. This is slow, shoddy, and ignoring security. Which is the normal with apple across the board.
The only “smart phones” that had or have any sort of security worth talking about are Blackberry and hardened Android. If you are not using those, assume the phone can be compromised easily. At best, it’s a walking video camera and microphone pointed at you 24/7 with a GPS tracker built into it as well. And that’s if you’re not keeping credit card information on it and loading up pictures to icloud… which also gets hacked all the time.
None of the big three operating system vendors are saints (apple google Microsoft). But when it comes to security, apple is the worst by a massive margin and has largely skated by due to a small footprint (nobody really used them for anything worth anything) and consumer ignorance. But all of them require professional hardening to even be quasi secure, which also involves not using a lot of their features and avoiding a lot of the activities people want to use them for. Even then, it’s not secure against a government or professional entity.
Adam L Silverman
Rick Perlstein is far too nice a guy when he does TV. Someone needs to get him toughened up!
Major Major Major Major
@Baud: ahem.
Baud
@Major Major Major Major: Meh.
Lizzy L
I have a cheap Android phone on which I make phone calls when I’m away from my landline, send e-mails when I’m away from my computer, check FB and post, text very very rarely, and occasionally take a photo. No business, no banking, no shopping. I save all that for the d/t computer. The laptop is for what I’m doing right now. I have no idea how safe any of my info is.
redshirt
My Android just crashed after this update!
I’m running windows 3.1.
Major Major Major Major
@redshirt: you need to upgrade to Windows ME.
Lizzy L
To add to my comment at 22: I have ESET Security on both computers, which has served me quite well. And yeah, my OS is Windows 10.
Baud
Speaking of phone security, I posted this earlier but got no responses. I’ll be traveling soon and will be connecting to wifi hotspots with my phone. I downloaded a VPN app for better security. Betternet is the one I chose based on play store reviews and description. Any thoughts?
dmsilev
One big advantage Apple has over Google (i.e. Android) in the smartphone wars is that they can push out a security update like this and have it go directly to everyone with a vaguely recent iPhone (the 4S, the oldest iOS9-compatbile device, was released 5 years ago). In the Android side of things, with the exception of Google’s Nexus line, security updates flow from Google to the hardware vendors to the telephone carriers and only then to the end users, and it can take anywhere from days to never for that to complete.
Villago Delenda Est
The only secure computer is one that is in the original sealed shipping container.
And frankly, we’re not very sure about those.
This applies to iPhones and other small computing/communications devices.
Baud
@dmsilev: Agree. Updates are my biggest problem with Android.
redshirt
@Major Major Major Major: Will it make my Android more compassionate?
Major Major Major Major
@redshirt: that depends on whether you went with humanoid, dog, or spider when you picked out the android’s chassis.
Earl
@? Martin: To be really clear: random people on the internet are not getting hacked with unknown ios 0-days. Those things are valuable — for the best, like this, you can sell them for $1m+ ea / nonexclusive to many takers. And there’s almost certainly more where those came from. otoh, if you’ve pissed off a nation-state, you’re probably going to get hacked.
We could, say, mandate the nsa disclose these to apple/goog so they can be fixed, but they’d rather hack people with them.
debbie
@Major Major Major Major:
Thanks. Boy, you ignore all tech stuff for a year or two, and it becomes a totally foreign language. Though I love Sneakercraft!
redshirt
@Major Major Major Major: It’s a galaxy. Barred spiral, to be precise.
Major Major Major Major
@? Martin: @Earl: you still shouldn’t walk around with an unpatched phone.
Anoniminous
@redshirt:
@Major Major Major Major:
CP/M 86 — the only way to fly.
schrodinger's cat
@Anoniminous: Slide rule is the way to go, says I.
Anoniminous
@schrodinger’s cat:
At one time I owned one of those 6 foot by 18″ slide rules that were used as teaching aids. Had to take it outside to use it. The reactions of passerbys was marvelous to behold.
Fun times, fun times.
Major Major Major Major
@Anoniminous:
Way to dehumanize grad students.
EBT
Air gapped should really only be used to describe hardware that 1.has never been connected to any net work and 2.lacks the physical ability to ever connect anything else is a vulnerability.
Major Major Major Major
@EBT: and the Apple iic fails this test how?
dmsilev
@Major Major Major Major: I think you could get a modem for the thing, though I doubt it was standard-issue.
Major Major Major Major
@dmsilev: by extension anything is networkable with a hacksaw and soldering iron.
redshirt
@Anoniminous: Now that’s obscure! I had to look it up.
I like referencing Win3.1 because at the time I loved it and had it mastered, then the Corporate Overlords shoved Win95 down my throat and I hated it. HATED IT! For a while. Over a short period of time I began to see the wisdom of the changes.
I keep this memory to remind myself that I too can get stuck in a rut of the past, unwilling to accept the changes of the future simply because they are “change”.
Earl
@Major Major Major Major: Sure, but the point is this: if they could hack you yesterday, they can hack you today. Patches or no.
I'mNotSureWhoIWantToBeYet
@Baud: Saw your note on an earlier thread but don’t really have an opinion about it. We use some sort of Cisco thing at work, but I’ve not used VPN otherwise.
Google is bringing some new VPN stuff to Nexus devices soon.
Good luck.
Cheers,
Scott.
Major Major Major Major
@Earl: sure, and there’s always rubber hose cryptanalysis for even the most hardened system. I guess I don’t see your point. This is a public exploit, those are bad, they released a patch the next day, you should install it.
burnspbesq
@eversor:
You might want to disable your Holier than Thou, Know-It-All Asshole app.
middlelee
@Adam L Silverman:
Thanks. And thanks to all who answered.
Baud
@I’mNotSureWhoIWantToBeYet: Thanks. I’ve heard VPN talked about a lot, but never had occasion to try it out. Hope it works.
Mnemosyne
@Earl:
Isn’t that like saying that a really determined car thief could figure out a way steal your car, so you shouldn’t bother to lock it?
Miss Bianca
@Mary G: What, only JC is allowed to Bigfoot around here?//
WaterGirl
@Baud: I saw that at least 2 or 3 people replied to your earlier query. One person said their browser has VPN built in and all you have to do is enable it. Sorry, I forget what browser they used!
kdaug
@Baud: Get a burner, and leave it there
kdaug
@Villago Delenda Est:
The one you built yourself
randy khan
@eversor:
So there’s security and security.
iOS devices that aren’t jailbroken have a layer of protection that Android does not, in that apps are screened through the App Store before you can download. It’s not perfect, but it’s fairly hard for serious malware to get through. Android malware is everywhere.
Also, as pointed out by others, Apple pushes updates directly to your phone; you don’t have to wait for your carrier to decide to send one to you. Equally important, a very wide range of iPhones can run the latest version of iOS, unlike Android, which generally seems to be compatible only a generation or two back. Not to mention, of course, the data encryption on iPhones.
All of these factors are more relevant to the standard use patterns for mobile devices than the question of whether somebody could sneak a zero day onto your phone via some means other than an app. The requirements are different from a small group of specialized users, but most of us don’t fall into that group.
frosty
@schrodinger’s cat: No one ever hacked my K&E Log Log Duplex Decitrig, now did they?
frosty
@EBT:
Years ago, at an employer where we were first networking word processors and then PCs, the IT guy in charge of the mainframe liked to say “As soon as you put a wire in it, it’s mine.”
Some Dude
@frosty: aka, Bastard Operator From Hell:
http://ow.ly/GVvq303DwzF
The Other Chuck
@Major Major Major Major:
Tends to be hard to conduct covert surveillance that way tho.
BruceJ
@frosty: Cool. Send an email with one. I’ll wait :-)
BruceJ
@frosty:
I”ve long taught the three rules of computer security:
1:If you let the bad guys physically touch your computer, it’s not your computer anymore.
2:If you let the bad guys run a program on your computer, it’s not your computer anymore.
3:If you let the bad guys convince you to run their program on your computer, it’s not your computer anymore.
? Martin
@Earl:
We have. But they can classify the exploit and not have to release under the law. Basically they only disclose the stuff that isn’t useful to them any longer (which is a lot) – that is, anything that’s in the wild.
And Major is of course correct – always, always, always patch. Always.