'Zero-Click' Hacks Are Growing in Popularity. There's Practically No Way To Stop Them (bloomberg.com) 43
With people more wary than ever about clicking on suspicious links in emails and text messages, zero-click hacks are being used more frequently by government agencies to spy on activists, journalists and others, according to more than a dozen surveillance company employees, security researchers and hackers interviewed by Bloomberg News. From a report: Once the preserve of a few intelligence agencies, the technology needed for zero-click hacks is now being sold to governments by a small number of companies, the most prominent of which is Israel's NSO Group. Bloomberg News has learned that at least three other Israeli companies -- Paragon, Candiru and Cognyte Software -- have developed zero-click hacking tools or offered them to clients, according to former employees and partners of those companies, demonstrating that the technology is becoming more widespread in the surveillance industry.
There are certain steps that a potential victim can take that might reduce the chances of a successful zero-click attack, including keeping a device updated. But some of the more effective methods -- including uninstalling certain messaging apps that hackers can use as gateways to breach a device -- aren't practical because people rely on them for communication, said Bill Marczak, a senior research fellow at Citizen Lab, a research group at the University of Toronto that focuses on abuses of surveillance technology.
There are certain steps that a potential victim can take that might reduce the chances of a successful zero-click attack, including keeping a device updated. But some of the more effective methods -- including uninstalling certain messaging apps that hackers can use as gateways to breach a device -- aren't practical because people rely on them for communication, said Bill Marczak, a senior research fellow at Citizen Lab, a research group at the University of Toronto that focuses on abuses of surveillance technology.
BlackBerry (Score:4, Insightful)
Hey, remember when RIM made the BlackBerry and focused entirely on enterprise and government security of their messaging platform? But then decided to drop all of that to chase the "app" market that Google and Apple were in, but failed horribly at that, and continued to abandon their actual successful side of their business!?
I'd do just about anything to 100% entirely abandon Android and iOS right now and go instead to a modern BlackBerry OS (and no, not their re-skinned Android).
RIM made all of the social media apps in-house rather than relying on the social media companies to make their own. Everything had a super clean, simple, minimalist, and FUNCTIONAL interface without any bullshit getting in the way. This was when phones peaked.
From the article... (Score:2)
"...zero-click exploits that could be used to hack iOS, Android and BlackBerry phones, in addition to Windows computers."
There seem to be a few things conspicuously absent from this list. Like, for example, Linux. And dumbphones.
Re: (Score:2)
I have no doubt that if the authorities decided the target was important enough, they could find a way to get into even Linux phones like the PinePhone, Librem 5, Nokia N900 and others.
Re: (Score:2)
Re: (Score:2)
I miss my blackberry. :( :( :(
Re: BlackBerry (Score:2)
Re: (Score:2)
"Candiru"? (Score:2)
Re: (Score:2)
If you think about it it's a perfect name for a zero-click hack tool.
But YIKES!
Be Afraid! Be VERY Afraid! You Must! We Say So! (Score:1)
They need the apps to communicate..... (Score:2)
Re: They need the apps to communicate..... (Score:1)
I keep saying it (Score:3)
Any computer should be considered as compromised by the user.
No way to stop them? (Score:2)
You mean no non-lazy way?
"Communication" (Score:4)
Since everything's now movies, gifs, emoticons, and all sorts of other bullshit, there are a LOT of vectors that can be exploited.
If you just need communication, then what about, you know, text. Less attack vectors, and it's something we've been doing for centuries.
Re: (Score:1)
no can do, userbase is now an ocean of Septembers, gotta hook everything up to everything else, automate everything (user-side and coder-side) with lots of blind trust
this is necessary so we can emoji it up and have your facetweets automatically show up while you're tiktoking instagrams - turns out an ocean of Septembers is more lucrative than practical people's productivity, so we'll be building in their direction not yours
Re: (Score:3)
Since everything's now movies, gifs, emoticons, and all sorts of other bullshit, there are a LOT of vectors that can be exploited.
If you just need communication, then what about, you know, text. Less attack vectors, and it's something we've been doing for centuries.
And how often do people complain here that /. doesn't support Unicode?
What version of 'text' are people proposing?
Less attack vectors doesn't mean safe. Just ask little Bobby Tables.
Why Haven't We... (Score:5, Interesting)
...seen this used by activists?
No, seriously. Think of how fast NSO, Candiru (LOL, WTF?!) and Cognyte would get shut down if a few dozen Senators and representatives had their phones penetrated, and their Grindr profiles, lewd texts, draft Tweets posted by their Russian handlers, and shady financials got posted to the Internet for all to see?
Come on, people. Level up, here.
Re: (Score:3)
I would guess it's because activists don't have the money to buy such tools.
Also, probably the people in power are protected up to a point, either because the tools have blacklists that makes them inoperant on devices identified as being owned by people in power, or because semi-automatic processes review the information being extracted and prevents it to reach the tool's user if it matches certain names, contents, etc.
Which of course doesn't prevent the toolmaker from gathering said data and using it at so
Re: (Score:2)
Lewd texts, tweets with Russians, shady financials... The only other thing you need to win a Republican primary is for NBC Universal to give you a reality TV show.
We need a forced disclosure law (Score:3)
And one that in particular gives the impacted vendor the right to sue anyone to force disclosure of bugs to them. Apple and Meta should be able to sue NSO into the ground and force them to disclose every method they use against their products and services.
Re: (Score:3)
Please don't invent DMCA 2.0 - the current version is bad enough.
Re: We need a forced disclosure law (Score:3)
You want to force the intel community to give up its technical edge? Good luck with that bro
Treat your phone as already compromized (Score:5, Informative)
Personally I try not to use the phone for anything important. There is no way to secure the phone as it is "protected" from you. I can make sure that my PC does not have bad things on it by looking at the processes, running antivirus and such. I also can harden it against attacks by installing security updates and using ad blocker and script blocker. For my phone I do not have any options. For security updates I have to rely on the manufacturer who does not give a flying hoot. Phone in its current state is a horrible device from the security point of view.
Re:Treat your phone as already compromized (Score:4, Insightful)
If somebody starts using your credit card it's reassuring in a way because you know something odd is happening and you can presume that the device you used for payments has possibly been compromised - for petty crime, that is.
The main problem with the situation described in tfa is that there is no way to know whether your device, lest it be a phone or a computer, has been compromised or not, since there is no apparent payload.
I wouldn't assume a personal computer, even with a hardened operating system, is more immune to compromise than the average smartphone, if one is on the watchlist of the kind of people who use the kind of software described in the article.
Re:Treat your phone as already compromized (Score:4, Interesting)
This doesn't work. People are vulnerable in myriad other ways than "bank account". Plus, you grossly oversimplified the bank access threat model because there are any number of ways that a compromised phone could be used to gain sensitive information that could be used for identity theft. Focusing on the blatantly obvious (bad/infected banking app might steeel ur moneeez) is not going to lead people to good decisions.
We need to start asking Why the phones (& PCs) are so insecure, Why are there Computer Science depts with immense funding at every university who drone on about updating frequently, "don't click strange links" and all the tired nostrums.... when they should be innovating new types of computer architectures that are fundamentally more secure?
That 'no-click' is even an ongoing theme in infosec should be a giant red flag that there is something sorely lacking with current computer architecture. My assessment is that the spiraling complexity of apps and certain middleware is not being strategically managed by security mechanisms – that are vastly less complex.
My own personal response on the PC has been to move to Qubes OS, which essentially puts an isolated GUI on a small bare-metal hypervisor, and everything interesting to the user runs in unprivileged, hardware-enforced VMs.
Phones don't yet have such an option; the best response is to use a more secure laptop (see above) for sensitive stuff and also slice out the phone's internal microphone(s), which means a headset must be used for conversation. The next step up from this would be physical (not programmed) on/off switches for certain hardware (wireless, mic & sensors); Purism has attempted this, although their execution is years late and I wouldn't recommend them.
certain messaging apps (Score:5, Interesting)
"including uninstalling certain messaging apps that hackers can use as gateways to breach a device"
Any chance of naming those "certain messaging apps"
Re: certain messaging apps (Score:5, Insightful)
Re: (Score:2)
stupid paywall (Score:3)
http://web.archive.org/web/202... [archive.org]
Re: (Score:2)
Click? You insensitive clod! (Score:3)
I use elm/lynx.
The solution being .. (Score:2)
Good Times Virus (Score:2)
In the early 90s, messaging clients (e.g. Email, IRC, etc.) didn't auto-execute code by design, and didn't take external content outside of the message in question. At worst,
Re:Good Times Virus (Score:4, Informative)
Yes and no.
Email clients didn't execute on emails without user interaction, but many people had a procmailrc file that had procmail process emails without user intervention and if you could send emails that exploited a procmail bug you would almost certainly have been able to compromise a large percentage of computers on the internet in the 1990s.
Re: (Score:2)
Procmail as such, as far as I can recall, didn't have any bugs that could be directly exploited through a specially crafted E-mail.
However, obviously people could create procmailrc files which acted on incoming E-mails, and yes, you can then create something which perhaps takes unvalidated information from the E-mail and then executes a command based on that. Actually creating procmailrc scripts that are vulnerable in this way is hard though (none of the examples do this).
Sendmail, OTOH, had an infamous re
SECURE COMPUTING is the solution. (Score:1)
As long as we have PURPOSEFULLY insecure systems so that surveillance malware can be injected (NSA TURBULENT and TURMOIL programs - see Snowden's book for details) this sort of thing is going to keep happening.
The internet and our computing has turned from an information system to a surveillance system - because you having information is not good for those who want to surveil you.
So, what are the technical details? (Score:2)
The article gives none and the comments here are no better
You can use what I use. (Score:1)