Security Expert: Apple's Lockdown Mode Still Defeats Commercial Spyware
26.10.2023 - 03:43
/ pcmag.com
There aren’t many easy jobs in information security, but protecting people against nation-state attackers is the hardest of them all. And yet security researcher Runa Sandvik did not sound hopeless during a talk at a conference about the threat of intelligence agencies targeting commercial spyware at reporters, activists, and opposition politicians.
One reason: The Lockdown Mode that Apple shipped with iOS 16 still seems to block the worst sorts of commercial spyware.
“I am not aware of any compromise of a device using Lockdown Mode today,” Sandvik said in the keynote that opened Mitre Corp.’s ATT&CKcon conference in Virginia. “It is the best defense that we have today for Pegasus and Predator.”
Pegasus is the name of the notorious Android and iOS spyware developed by NSO Group, an Israeli firm that has drawn widespread scorn for selling this tool to such oppressive regimes as Saudi Arabia; Predator, a spyware tool with similar capabilities, is the work of Cytrox, a firm with operations in Israel and Hungary.
(Reports have revealed that US government agencies such as the Drug Enforcement Administration and the FBI had considered and then rejected using Pegasus as late as 2021. The government has more recently put NSO, Cytrox, and other commercial spyware developers on export blocklists, and in March a Biden administration executive order banned most government use of these tools.)
Both Pegasus and Predator have been able to infect targeted phones without any action by the user, what’s called a “zero-click” attack. Sandvik—founder of the security consultancy Granitt with experience that includes helping develop the Tor anonymity network and hacking a “smart” rifle—outlined some especially creepy cases.
In one, New York Times reporter Ben Hubbard received a WhatsApp message in June 2018 asking him to cover a protest outside Saudi Arabia’s embassy in Washington. If he had followed the link in that message, it would have sent Pegasus to his phone. A later investigation by Citizen Lab, a project hosted at the University of Toronto, established that Hubbard’s phone had been zero-click hacked in 2020 and 2021.
(Sandvik worked as a security consultant for the Times from March 2016 until October 2019, when she left and tweeted that the paper had told her it didn’t need “a dedicated focus on newsroom and journalistic security.” In her talk, she mentioned her role at the paper, but did not go into detail about her exit.)
In another case, Artemis Seaford, a member of Meta’s trust and safety team with dual US and Greek citizenship, saw her phone hit with Predator spyware in 2021 after she had been placed under a secret wiretap by Greek intelligence services for a year.
The attack vector was a text message