How about Android?
How secure is it?
Cherie Blair tipped off a Jordanian princess that the royal's estranged husband, the Sheikh of Dubai, had deployed NSO Group's Pegasus malware against her and her lawyers, a series of explosive High Court judgments [PDFs] have revealed. Set against a backdrop of kidnappings, espionage and a bitterly contested child custody …
You just need to buy a Chinese Android phone that is banned from any connection to Google and its 3 letter friends - then you know it's only spied on by the Glorious People's Revolutionary Army of Peace and Prosperity for all Toiling Peasants
(sorry my phone seems to do that when ever I try and write anything about The Great Leader )
The Amnesty International link in the story to the analysis doesn't paint a great picture:
"In Amnesty International’s experience there are significantly more forensic traces accessible to investigators on Apple iOS devices than on stock Android devices, therefore our methodology is focused on the former. As a result, most recent cases of confirmed Pegasus infections have involved iPhones.
While iOS devices provide at least some useful diagnostics, historical records are scarce and easily tampered with. Other devices provide little to no help conducting consensual forensics analysis. Although much can be done to improve the security posture of mobile devices and mitigate the risks of attacks such as those documented in this report, even more could be achieved by improving the ability for device owners and technical experts to perform regular checks of the system’s integrity.
Therefore, Amnesty International strongly encourages device vendors to explore options to make their devices more auditable, without of course sacrificing any security and privacy protections already in place. Platform developers and phone manufacturers should regularly engage in conversations with civil society to better understand the challenges faced by HRDs, who are often under-represented in cybersecurity debates."
So Android has less forensic traces accessible, and therefore makes exploits like this harder to diagnose.
This needs to be addressed and fixed IMHO.
It is more of a status symbol thing with iPhone, if you wish to consider that comparison. There are plenty of high-end Android phones out there, no need to purchase a "cheap Chinese Android" phone if you wish, what with Samsung Folds, gold-plated diamond & ruby Samsung / Caviar S20's, etc available.
It's because NSO was sloppy in its attempts to cover its tracks from a couple of SQLite process accounting databases used by Apple to track network activity per app (so they can report to you network usage in the Cellular control panel, presumably), or did not vacuum the databases to expunge the deleted rows from the filesystem. I'm sure they've fixed that since once the Amnesty International and Citizen Lab methodology was published.
Id argue apart from the valid observations of iphones being status symbols and additional telemetry db's on apple devices, that an android device is much easier to scrub clean and is much more widely understood OS vs iOS due to it being an inherently more open system.
As for combating this sort of thing, given the suspicions of rouge cell towers (or just compromised cell towers its not like security is much better than on a street light) seems tricky without reinventing how urls work, only thing i can think of that might be effective is to effectivly ddos and destroy the signal to noise ratio of the gathered intel through mass infection of devices, but i dont know if an "im sparticus" retaliation would be effective or if it would just cause a lot of collateral damage...
Both Android and iOS are insecure by design. The underlying OS may be securable but the end-user model is that the person holding the gadget van do anything they like. Since most end-users are clueless about IT security, this is about as secure as MS-DOS.
The fix is an explicit distiction between being a user and being an admin. Both OSes could do this but have chosen not to.
If MS want to play in the phone space, they should just release Normal Windows and point out that, firstly, a domain-joined phone could be managed by Group Policy, which might appeal to corporates, and secondly that even a stand-alone phone could be more secure for children simply by with-holding the admin password from them.
NSO undoubtedly is controlling both ends of the surveillance. So, the Sheikh deployed the software against his wife, but simultaneously deployed it against himself. The timing of the two tip-offs also suggest that NSO is well aware of any IP-sniffing countermeasures being employed against them.
The details here are much scarier than the bland summary by non-tech outlets. Especially the part where a security firm couldn't even find the stuff. How many layers of expertise do you need for that?
I have several questions. How many people has Cherie Blair personally called about this software? Is it only royals that get that treatment? Activists and journalists have also been targeted, do they get a heads up from Mrs. B? Or just the wealthy and well-connected?
And since it now turns out that the same Sheikh tried to buy property right next door to his ex (bear in mind his form in kidnapping his own kids) resulting in a restraining order, will the British and Irish racing fraternity give him the welly up the arse that he so plainly deserves?
When there were "suspiciously named apps" installed? I can't imagine a supposed mobile forensics company being unable to recognize that and follow up on it. And since when does a root level exploit require "suspiciously named apps"? If your exploit lets you control the OS, why do you need other apps involved at all?
Seems more likely that British firm has some type of relationship with NSO, at the very least as their customer, and didn't want to tip what they knew and hurt NSO's business by making that public in court (if for no other reason than the publicity would cause Apple to quickly fix those holes - as they in fact did - and ruin ongoing NSO's surveillance for all their other customers unless/until they were able to re-hack their phones with a fresh set of exploits)
Harsh. Pegasus is not your usual malware - there can't be many people on the planet who would have the expertise to dig into it. As stated their lawyers needed a UK firm - they probably found one in the phone book and gave them a call. Hats off to them for saying it's beyond their abilities rather than blustering.
A very serious and informative article of surveillance and counter surveillance, unlike the versions that have made some news media outlets. Though I find it strange that someone in her position, with such a privileged life and powerful (ex)husband would spread their life over facebook and an i-phone just like the plebs amongst us. Frightening that it went as far as her own legal team and advisors, who were not necessarily even in her own country or administration. How did this malware get onto to so many phones which should have been subject to high levels of security in the first place?
But without doubt, the most interesting bit was the fact that Dilbert was somehow involved...... "
An internet search of PHB led to news stories "
Yes, I bet it did.
> and, legally, had not been instructed as experts for the court proceedings.
Meaning they were probably actually expert.
"Expert Witness" is a rort. It's a job description in itself, a sub-industry of law not any actual technical field, populated by borderline retarded incompetents who've stumbled across the gravy train of legal proceedings and discovered they need merely speak very slowly and authoritatively, throw in some jargon, underline their boffinry by being vague and struggling to explain in simple English matters they pretend are recondite, and above all knowing the legal admin procedures for the case prep period.
As a pungent example, you'll note the duly appointed expert witness, IntaForensics, declared there was nothing untoward about the phone in question. Then got the fuck out of there when they realised the jig was up.
> and, legally, had not been instructed as experts for the court proceedings.RTFA!
Meaning they were probably actually expert.
As the Court of Appeal noted, the company is based outside the UK's jurisdiction and therefore its views "would remain confidential to the father and would not be disclosed to the mother or the court."
Put another way, Sygnia could have extracted more data for the sheikh to use against Princess Haya – or even tipped off NSO as to Marczak's precise attribution method, enabling the malware vendor to shut him out in future. Had Sheikh Al Maktoum formally instructed a UK-based expert witness, the underlying data would have been disclosed – but he didn't.
There are plenty of other Pegasus-related cases which, even when discovered, have no active investigation or, even worse, the investigation body ends to be the same state who deployed it in the first case, like Spain with the Catalan regional government officials.
The not-so-fantastically-named MacOS app called iMazing has the Amnesty detection tools integrated. You first need to make a backup, and you can then tell it to run its analyser over it to pick up traces of this infection.
Personally I think that could make for a good feature of the iOS backup process itself.
Biting the hand that feeds IT © 1998–2021