back to article Update your iPhones, iPads right now – govt spy tools exploit vulns

Apple has pushed out an emergency security update for iPhones, iPads and iPods after super sophisticated spyware was found exploiting three iOS vulnerabilities. The iOS 9.3.5 upgrade plugs three holes that, according to researchers, are being used right now by the Pegasus surveillance kit – a powerful commercial malware …

  1. Randy Hudson

    It's time for Apple to allow users to install 3rd party browsers that run as regular sandboxed apps, so that browsing the web doesn't end up installing a root kit

    1. Anonymous Coward
      Gimp

      That'll be the day!

      You'll be suggesting they should allow their flock to dump iTunes next, you crazed heretic.

      Requisite icon seems extra appropriate today ---->

      1. ThomH Silver badge

        When's the last time anybody was compelled to use iTunes? iOS 4, maybe?

        Switching to a non-WebKit browser, were Apple to stop being so controlling, would also appear to answer only one out of three vulnerabilities?

    2. Anonymous Coward
      Anonymous Coward

      3rd party browsers

      have been available on iPads & iPhones for quite a while now.

      iCab, Opera, Firefox, Chrome immediately spring to mind (plus a few obscure ones).

      1. Jordan Davenport

        Re: 3rd party browsers

        "iCab, Opera, Firefox, Chrome immediately spring to mind (plus a few obscure ones)."

        Of those, only Opera can kinda sorta claim to be a different browser since it does most of its rendering on remote servers. All the rest you just named are just re-skins of Safari with different features and lacking the faster of the JavaScript engines.

        1. Ed 11

          Re: 3rd party browsers

          I think all browsers have access to the faster JavaScript engines now, and I feel like they have done for a while.

      2. Planty Bronze badge
        Stop

        Re: 3rd party browsers

        I think you have been fooled by Apple's pathetic spin. All those browsers you mention are forced to use Apple's webkit (and slow JS engine), so you are still using Safari, but with a Chrome skin.

        Essentially this is the downfall, the sample exploit will work on ANY iOS browser, as you aren't actually using any other browser...

  2. NoneSuch
    Coffee/keyboard

    Reporters who must be plotting some sort of terror plot, obviously. Maybe they were planning on telling the truth about various governments. The horror. The horror.

    1. ThomH Silver badge

      No, no, no. The anti-terror legislation is for monitoring alleged benefits cheats, isn't it?

    2. phuzz Silver badge
      Alert

      If it's not terrorists then it must be pedos. Won't someone please think of the children! etc.

      1. Anonymous Coward
        Facepalm

        WTF? Are they cracking down on pedometers now?

        Where will it end?

        1. Version 1.0 Silver badge

          Makes a change from pediatricians

  3. Anonymous Coward
    Anonymous Coward

    A speedy patch release

    for Apple. Usually, they seem to take an age to issue patches.

    1. DougS Silver badge

      Re: A speedy patch release

      The last few years they have been VERY quick to release security patches, especially for something like this.

      1. TheVogon Silver badge

        Re: A speedy patch release

        "The last few years they have been VERY quick to release security patches, especially for something like this."

        Presumably because jailbroken iphone = potentially lost AppStore sales.....

    2. Lord Elpuss Silver badge

      Re: A speedy patch release

      Apple are generally the Usain Bolt of the patch world. Pretty damn speedy. (And screwing everything they can when they think they can get away with it)

  4. Anonymous Coward
    Anonymous Coward

    We'll never be "safe, safe", so lets keep our freedoms instead.

    People need to wake up and realise that no security in the world will make things "safe" from someone determined to cause physical harm (you need to look (and be interested) in the causes why these people want to cause you physical harm in the first place)

    But it will definitely will instead, eventually control you and your life, to a point you're locked down in a dead end job, paying most of your disposable income away in (statistically head clipping) fines for parking/speeding etc because CCTV/ANPR Cameras supposedly in place to make you 'safe', are actually turned against you, to control you and more importantly, control the people/activists that speak against the grain, against such technology.

    Technology supposedly used for "security" is today, eroding democracy, locking down people in the UK, rather than acting as an enabler for people to reach their true potential. Its been used for profiling, stereotyping and keeping people in their place.

    We've passed the tipping point, its about time the UK population started been far more sceptical to Theresa May's motives regarding of all this extra "security to keep you safe" mantra. You'll wake up in virtual chains, and wondered why you didn't speak up earlier.

    1. if(i == alive) { live_free = true; government = NULL; }

      Re: We'll never be "safe, safe", so lets keep our freedoms instead.

      Absolutely spot on, although you can anonamise yourself to some degree by not registering your car, having a trader's policy and not putting it on the MID etc. Living in that grey area at the edge of the law really winds them up and is the best that people can do as individuals. Hopefully one day there will be enough individuals to form a big enough group and to fight back for our freedoms and our democracy (there are signs of fledgling ones now, but nothing near big enough).

      I always said that leaving the EU is just the beginning and the walk to freedom is a very long one, but at least we now appear to be on the right path and every day will take us a step closer (whether we use peaceful or violent methods to get there will entirely depend on whether the politicians listen; so we will just have to wait and see).

      If the worst comes to the worst then on the plus side we know that the government has a propensity to rely on youth as their cannon fodder, so we can be thankful that the vast majority are snowflakes.

      1. ZSn

        Re: We'll never be "safe, safe", so lets keep our freedoms instead.

        Leaving the EU is is just the beginning? So instead you want Theresa May unencumbered by anything like social justice? I must point out that in Germany and Austria they even fine you if you take pictures of people from the dashboard of your car.

        1. Anonymous Coward
          Anonymous Coward

          Re: We'll never be "safe, safe", so lets keep our freedoms instead.

          So presumably I shouldn't have sneaked a pic of a Pokemon chatting breezily to local military brass at national Army Day ? Not DE though ;) No way is that going on the Net, don't want to end up in the Brig.

      2. tiggity Silver badge

        Re: We'll never be "safe, safe", so lets keep our freedoms instead.

        Leaving the EU likely a road to *less* freedom, previously there was a chance of EU acting as some form of brake on the worst UK excesses of invading its citizens privacy.

        Now May et al will not have to pay lip service to any pro privacy strictures (ditto workers rights, environment, anything resembling sensible long term strategy etc.).

        I'm no fan of the EU (just like I'm no fan of the house of lords) but they at least meant some dubious govt legislation did not sail through quiet as easily / had to be amended

        Disclosure: voted remain solely in hope of retaining a bit of sanity control on UK gov!

  5. Jerry G.

    Phone Security

    If you want to have privacy and security with a phone Blackberry is the way to go. With Blackberry we don't hear about these problems as like we are hearing about with the others. This is why governments, medical field where privacy is a concern, leaders of countries, and high position people in corporations only use Blackberry.

    I myself and my family have been using Blackberry. I have no issues with this phone, and I feel very secure with it.

    1. Nick Collingridge

      Re: Phone Security

      Probably because no-one else buys Blackberrys, so no-one bothers to try and develop malware for it and no-one is looking for vulnerabilities. It is highly unlikely that Blackberry have some sort of secret technique that enables them to develop totally clean and attack-vector free code. You are probably safe, but not because of the technology - more safety through the fact no-one is interested.

      Regarding this iOS security update - there will not be a vast rush of malware targeting it because not only have Apple quickly released an update to fix the vulns, but also because as is usual a very high percentage of iOS devices will quickly be updated. So no vast number of vulnerable devices out there for malware developers to target.

      If this were Android, however, that would not be true, and it won't be until Google re-architect enough to be able to roll out generic updates to fix vulnerabilities. As a result the malware developers can jump on new zero day vulnerabilities in the knowledge that there will be a vast number of devices to attack.

      1. Daniel B.

        Re: Phone Security

        Blackberries are used by top level government officials. The surface area may be small, but there is definitely an interest in hacking these devices.

        The NSA was unable to hack Angela Merkel's Blackberry. That should show how well they fare.

        1. TheVogon Silver badge

          Re: Phone Security

          "The NSA was unable to hack Angela Merkel's Blackberry"

          Uhm no. They WERE able to monitor it. For years:

          https://www.theguardian.com/media/2015/jul/02/wikileaks-us-spied-on-angela-merkels-ministers-too-says-german-newspaper

          1. Daniel B.

            Re: Phone Security

            Ah, the MS shill chimes in.

            No, they weren't able to hack her Blackberry. They did hack her other handset, a Nokia 6260 Slide. The Blackberry Z10 wasn't.

            http://www.theatlantic.com/international/archive/2013/10/all-the-chancellor-s-phones/280913/

    2. Anonymous Coward
      Anonymous Coward

      Re: Phone Security

      Or of course a Google Nexus. Just as secure as a blackberry. Android 7 patch level august 5th on all my devices, and file level encryption

    3. if(i == alive) { live_free = true; government = NULL; }

      Re: Phone Security

      I have a feeling that is the reason why Blackberry have pretended to abandon BB10. I think that BB10 will become a propriety OS sold only to high security organisations. I know that the uk police are looking for a replacement for BT Airwave (tetra) radios and have been considering 4g options. A hardened version of BB10 with BES would fit the criteria. Chen isn't as stupid as he sounds.

      1. Emperor Zarg

        Re: Phone Security

        I always assumed that the BES or BIS server had a direct connection to Fort Meade. Canada is one of the Five Eyes, so a high degree of cooperation should be expected.

        1. JetSetJim Silver badge
          Black Helicopters

          Re: Phone Security

          Blackberry has always allowed Legal Intercept into its consumer service - they weren't allowed to sell in India until they caved to the govmt

        2. bitmap animal

          Re: Phone Security

          AFAIK if you set your own key in BES then it's secure. Using the default key may not be, I don't know the details though.

    4. Anonymous Coward
      Anonymous Coward

      Re: Phone Security

      I know I am considering a BB for my son. Its more secure and it's so butt ugly I won't ever have to worry about him being that guy on an episode of 16 and pregnant. A remarkably effective form of birth control.

      1. Anonymous Coward
        Anonymous Coward

        Re: Phone Security

        I hate to break it to you, but even with an iPhone he won't be able to get pregnant.

        :)

    5. TheVogon Silver badge

      Re: Phone Security

      " you want to have privacy and security with a phone Blackberry is the way to go. "

      It really isn't. There have been well over 80 known security vulnerabilities so far in Blackberry OS 10 - versus ~ zero in Windows Phone 10. For instance the US government apparently had no issues in spying on the Germans when they were using Blackberry...

      And now Blackberry are moving to a "secure" version of Android - that's going to be like trying to keep water in a colander with a sieve....

      1. Anonymous Coward
        Pirate

        Re: Phone Security

        Um, there'll be no publicly known vulnerabilities in M$A's moribund WinPho platform, if that's actually the case, simply because no one has bothered to analyse one.

        Why would anyone waste their time? Are you seriously suggesting the obvious fact that nobody's bothered to look for them is somehow proof that it isn't crammed full of exploitable errors and NSA backdoors RICHTO? How wonderfully quaint. Hope you get a big bonus this week.

        "Security by obscurity" is no security at all.

        1. Anonymous Coward
          Anonymous Coward

          Re: Phone Security

          >> simply because no one has one to analyse one.

          Lots of companies are using them so they would interest hackers. For instance the FTSE 100 I currently work for recently replaced over 5000 BlackBerrys with Windows Phone (640)

          If you search it, there has been some public analysis by recognised hackers / security experts that has concluded that WinPho is one of the most secure mobile platform options...

        2. TheVogon Silver badge

          Re: Phone Security

          "Um, there'll be no publicly known vulnerabilities in M$A's moribund WinPho platform, if that's actually the case, simply because no one has bothered to analyse one."

          They have sold over 100 million of them I seem to recall. If they were trivial to exploit we would likely have seen evidence by now.

          "somehow proof that it isn't crammed full of exploitable errors and NSA backdoors "

          Nope, but less of a worry than other mobile platforms that WE KNOW have lots of security issues!

          1. Anonymous Coward
            Joke

            Re: Phone Security

            100000000/2000000000 = 5%

            All time total winpho "sales" = ~5% of current smartphone ownership!??!?!!!

            Hahahahahahaha ahhha hah aahah ah ah hahha ah aha ah a aahhhhhh ---->

            I bet that "sales" figure of yours includes all the ones M$ wrote-off and dumped into landfill themselves too ("sales" to self) hahahahaha ahhha hah aahah ah ah hahha ah aha ahhhhahahahaha ahhha hah aahah ah ah hahha ah aha ah a aahhhhhhhahahahaha ahhha hah aahah ah ah hahha ah aha ah hahahahaha ahhha hah aahah ah ah hahha ah aha ah hhhahahahaha ahhha hah aahah ah ah hahha ah ahahaha ahhha hah aahah ah ah hahha ah aha ah a aahhhhhh

          2. Anonymous Coward
            Anonymous Coward

            Re: Phone Security

            I wonder what MS's Windows Phone sales were for the most recent financial quarter and 12 months...

          3. Anonymous Coward
            Anonymous Coward

            Re: Phone Security

            Why is this iThing thread suddenly about pushing MS Windows?

      2. Anonymous Coward
        Anonymous Coward

        Re: Phone Security

        Yeah, probably Symbian is pretty secure right now too :)

    6. JCitizen
      Devil

      Re: Phone Security

      That's funny? Then why did Obama have to fight his staff, and government security enforcers, tooth and nail to keep his Blackberry? I would have thought it would be the other way around? I don't know what brand they were pushing, but I suppose they wanted conformity to help in security SOP. The other side of the coin would be kind of like having a Hillary private server in the office?

  6. AlexS
    Coffee/keyboard

    The milk tray man in photo

    Do all hackers wear burkinis?

    1. Anonymous Coward
      Anonymous Coward

      Re: The milk tray man in photo

      Only in San Jose.

  7. asdf Silver badge

    time to eat crow or shit I guess

    Just going on the record non anon after flinging so much poop about stage fright to say this is almost as bad. Still requires visiting a booby trapped web site as opposed to just receiving a unsolicited text and granted the vast majority of iThings will be patched much quicker (hell probably half of Android devices in wild still vulnerable to stage fright) but it is still far from acceptable. Guess security by obscurity and lack of apps (best way to prevent malware is have a garbage app store nobody visits) is the way to go via WP or BB 10 if want high security.

  8. J J Carter Silver badge
    Windows

    Safe and secure...

    Using my Microsoft Lumia 950

    1. Patrician

      Re: Safe and secure...

      "Using my Microsoft Lumia 950"

      HEHEHEHE! Oh, you weren't trying to be funny?

    2. Planty Bronze badge

      Re: Safe and secure...

      LOL. Security by obscurity.

    3. TheVogon Silver badge

      Re: Safe and secure...

      "Using my Microsoft Lumia 950"

      Me too - 950 XL. Couple of orders of magnitude fewer security holes across all versions of Microsoft's mobile OS compared to Blackberry, Android or IOS...

      1. Neil Alexander

        Re: Safe and secure...

        That's a dangerous assumption to make, given that security holes in Windows Phone are much less likely to be as widely published given the comparatively minor market share. That doesn't mean that they aren't there and that the bad guys don't know about them.

  9. Marketing Hack Silver badge
    Linux

    I'm beginning to think carrier pigeon is the way to go

    Or maybe strap a message to Tux's leg.

    1. TheVogon Silver badge

      Re: I'm beginning to think carrier pigeon is the way to go

      "I'm beginning to think carrier pigeon is the way to go "

      Remember the story about the 4 carrier pigeons found by soldiers during the war? They ate 3 of them, and then sent a thank you message for the tasty meal on the 4th....

    2. Preston Munchensonton
      Mushroom

      Re: I'm beginning to think carrier pigeon is the way to go

      I have a pigeon hacking device (rifle) nearby, so caveat emptor...

  10. David 132 Silver badge

    The REAL story...

    ...is that apparently, countries including "United Arab Emirates... Saudi Arabia, Qatar, Turkey... and Bahrain" are buying software from an Israeli company.

    Guess the need to spy on ones own citizens trumps their very public hatred of Israel, huh?

    Now gentlemen, let's all link arms and sing "Kumbayah"....? No?

  11. jzl

    Zero Day

    All these people saying "BlackBerry / Android / whatever is more secure" are missing the point.

    A commenter above said that he was safe because he had a Google Nexus which was up to date with its patches.

    This was a zero-day vulnerability. There was no patch for it until just now.

    They are all but inevitable in all operating systems - it's the nature of software development that such vulnerabilities exist. These vulnerabilities won't be the only ones, and similar ones will exist in Android, Windows Phone, BB10 and BB Classic. That's the nature of the beast.

    The reason to patch now isn't to stop governments spying. They will be keeping a load more vulnerabilities up their sleeves, so if they want you they can already own you. The reason for patching is that once the vulnerability has been published, the great horde of ordinary criminals will pounce on it.

    1. Lord Elpuss Silver badge

      Re: Zero Day

      I don't think the poster was saying he was safe per se because he had a Nexus, he was making the point that because it's a Nexus (and therefore running vanilla, Google-deployed Android) it's patched just as quickly as iPhones. Other Androids are dependent on the manufacturer to release patches; which they do either (a) slowly, (b) very slowly, or (c) not at all.

  12. Planty Bronze badge
    Megaphone

    riddle me this

    stagefright

    quadroot

    Pegasus

    two of these get all the press coverage and have never been actively eploited in the wild, the other is without a doubt the most severe vulrability ever to have hit mobiles, and whilst now patched on some devices, the amount of data gathered by it is unknown.

    Seems to me like when its Apple, problems are dowplayed (22 comments), when it's Android, even if its only a theoritical exploit, it's headline news for weeks.

    The press need to start responsible reporting. BBC are the worst, they are in damage limitation mode on this, but the last few Android theoritical exploits have been major smug-fud mode.

    1. Anonymous Coward
      Gimp

      Re: riddle me this

      What would you expect from an arts grad collective? This year's BBC AGM

    2. TheVogon Silver badge

      Re: riddle me this

      "the other is without a doubt the most severe vulrability ever to have hit mobiles, and whilst now patched on some devices, the amount of data gathered by it is unknown."

      Yep, you could drive a bus through the quadrooter holes. And Android patching is abysmal from most manufacturers....

      We do have some idea though as there have been hundreds of thousands of known Android malware deployments.

      1. Anonymous Coward
        Facepalm

        Re: riddle me this

        > ...major smug-fud mode.

        You just had to say it, didn't you? Looks like you gone and invoked the RICHTO Vogon you tit. :(

        > We do have some idea though as there have been hundreds of thousands of known Android malware deployments.

        Do we RICHTO? How many times greater is that than known WinPhone deployments?

        "Security" by obscurity again?! Haven't you got another pitch?

        1. TheVogon Silver badge

          Re: riddle me this

          "Do we RICHTO?"

          We do:

          http://www.forbes.com/sites/gordonkelly/2014/03/24/report-97-of-mobile-malware-is-on-android-this-is-the-easy-way-you-stay-safe/

          "How many times greater is that than known WinPhone deployments?"

          Windows Phone total retail sales are something over 100 million. I will let you do the maths...

          1. Anonymous Coward
            Joke

            Re: riddle me this

            > Windows Phone total retail sales are something over 100 million. I will let you do the maths...

            No need!.. someone's already done it for us.

            Gosh! Nearly 0.7% market share!... Who'd have known?! What is that... about a quarter of Linux's share of the imploding desktop sector?

            Well keep plugging away RICHTO... maybe you'll get next year to be the year of M$ Windows on the phone. --->

  13. Anonymous Coward
    Anonymous Coward

    "The agreements signed with [NSO's] customers require that the company's products only be used in a lawful manner," said NSO spokesman Zamir Dahbash. "Specifically, the products may only be used for the prevention and investigation of crimes."

    Ah yes, the eternal excuse. It's not our fault they don't read the contract and use it for unlawful purposes. TL;DR and all that.

    Here's a simple question: how can you tell if it's NOT used lawfully?

    Bonus question: if you discover that, are you really going to sue your customer?

    No, I didn't think so either, so stop the excuses. You know damn well what is going to happen.

  14. Anonymous Coward
    Anonymous Coward

    Freedom.

    Worried about your government pwning your phone? Meh. Worry about the trans-national companies.

    1. Emperor Zarg

      Re: Freedom.

      I've said this before, but I think it's worth repeating...

      The motivation of a commercial enterprise is patently obvious. They want your money and want information about you in order to exploit you as a resource. I make judgements about which commercial enterprises I choose to engage with.

      The motivation of state actors is considerably less transparent and offers no choice.

      1. Anonymous Coward
        Anonymous Coward

        Re: Freedom.

        We seem to be talking about different freedoms:

        If you are an anti-state actor (doughty freedom-fighter or terrorist subversive - only those who write the history will be able to report the difference) then yes, you need to worry about your state interfering with your computers (pocket or any other sort). You also need to worry about many other things.

        Most of us are not anti-state actors. But it seems many have given what appears to be un-informed consent to the trans-nationals to control what's on their computers.

        More people in the UK access Facebook every month than voted in the 2015 general election.

        Yes, worry about freedom. Worry about the influence of the trans-nationals.

  15. Hans 1 Silver badge
    Stop

    It is 2016 and your computing device can get 0wned by a link

    cd title

    > A victim simply has to click on a bad web link to start an infection.

    How can that be deemed "sophisticated" ... seems to be pretty straight forward ...

  16. Bob Gateaux

    This will be the problem when you have the iOs based on Linux. We can always see this problem kind when the open source is in use because of the easy way of seeing the codes and working them out. This is why we always never use the free Linux at our professional software company. We all have the Windows phones for best safety.

    1. TheVogon Silver badge

      "the open source is in use because of the easy way of seeing the codes and working them out"

      You know you can look at the Windows source code too via Microsoft? Publically available code might be of marginal assistance to a hacker, but they are able to quite happily find holes in closed source code too. I would also note that available source code doesn't seem to make software more secure as is often claimed - see the recent many years old holes on Open SSL, BASH, etc.

      "We all have the Windows phones for best safety."

      Don't disagree there, but it's got little to do with availability of the source code imo...

  17. Anonymous Coward
    Anonymous Coward

    What about those not on iOS 9? Is iOS 7/8 affected and if so will they be patched or is Apples line that all users just have to update to latest iOS 9 or dump your device?

  18. itzman
    Big Brother

    No apple devices were used in the preparation of this post

    In fact, I can proudly say that after a dabble with OS/X and a G3, I hope I never own another apple device ever again.

    Solutions to problems I never knew I didn't have.

  19. Aodhhan Bronze badge

    The SKY IS FALLING

    Don't you just love those who over do worrying in an above and beyond means to display drama?

    Lets say the NSA is using this, do you really think they are looking at YOU? Or... perhaps using it against terrorists and not so friendly nation states?

    Let's face it, you're not really THAT important.

    1. Anonymous Coward
      Anonymous Coward

      Re: The SKY IS FALLING

      Against? :D

  20. Ilsa Loving

    On the upside...

    At least Apple's providing an update. :P I know if I were still using my Samsung Galaxy S3, I would have been SOL years ago.

  21. Goopy

    News to you!

    I heard this story last Wednesday, why is it in Mondays list so late?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019