Journalist's Phone Hacked: All He Had To Do Was Visit a Website. Any Website. (thestar.com) 123
The iPhone that Moroccan journalist Omar Radi used to contact his sources also allowed his government to spy on him (and at least two other journalists), reports the Toronto Star, citing new research from Amnesty International.
A Slashdot reader shares their report: Their government could read every email, text and website visited; listen to every phone call and watch every video conference; download calendar entries, monitor GPS coordinates, and even turn on the camera and microphone to see and hear where the phone was at any moment.
Yet Radi was trained in encryption and cyber security. He hadn't clicked on any suspicious links and didn't have any missed calls on WhatsApp — both well-documented ways a cell phone can be hacked. Instead, a report published Monday by Amnesty International shows Radi was targeted by a new and frighteningly stealthy technique. All he had to do was visit one website. Any website.
Forensic evidence gathered by Amnesty International on Radi's phone shows that it was infected by "network injection," a fully automated method where an attacker intercepts a cellular signal when it makes a request to visit a website. In milliseconds, the web browser is diverted to a malicious site and spyware code is downloaded that allows remote access to everything on the phone. The browser then redirects to the intended website and the user is none the wiser.
Two more human rights advocates in Morocco have been targeted by the same malware, the article reports.
A Slashdot reader shares their report: Their government could read every email, text and website visited; listen to every phone call and watch every video conference; download calendar entries, monitor GPS coordinates, and even turn on the camera and microphone to see and hear where the phone was at any moment.
Yet Radi was trained in encryption and cyber security. He hadn't clicked on any suspicious links and didn't have any missed calls on WhatsApp — both well-documented ways a cell phone can be hacked. Instead, a report published Monday by Amnesty International shows Radi was targeted by a new and frighteningly stealthy technique. All he had to do was visit one website. Any website.
Forensic evidence gathered by Amnesty International on Radi's phone shows that it was infected by "network injection," a fully automated method where an attacker intercepts a cellular signal when it makes a request to visit a website. In milliseconds, the web browser is diverted to a malicious site and spyware code is downloaded that allows remote access to everything on the phone. The browser then redirects to the intended website and the user is none the wiser.
Two more human rights advocates in Morocco have been targeted by the same malware, the article reports.
That's ungood (Score:5, Insightful)
Forensic evidence gathered by Amnesty International on Radi's phone shows that it was infected by "network injection," a fully automated method where an attacker intercepts a cellular signal when it makes a request to visit a website. In milliseconds, the web browser is diverted to a malicious site and spyware code is downloaded that allows remote access to everything on the phone. The browser then redirects to the intended website and the user is none the wiser.
Okay, that's pretty fucking horrifying.
Maybe it's time to go back to a flip phone.
Re:That's ungood (Score:5, Insightful)
Is it? Why does "GET URL HTTP/1.1" result in a hacked OS? Is the browser so vulnerable? Or are the low-level OS routines for network access so vulnerable? I hope, that is not the case.
Re:That's ungood (Score:5, Informative)
Is the browser so vulnerable?
Yes.
Low-level iOS isn't particularly secure, but it looks like in this case the injection happened when he went to an http site, not an https site. Then the cell tower rewrote the response to redirect the browser to a website with an exploit.
Note that it could have just injected the exploit directly, but separation of concerns. They wanted to use good software engineering.
Re:That's ungood (Score:5, Informative)
Note that it could have just injected the exploit directly, but separation of concerns. They wanted to use good software engineering.
No, they just used an off-the-shelf feature present in most mobile network kit. Nearly any GGSN worth of its name (and its 4G offspring) are perfectly capable of this feat and perfectly capable of doing it per user. I can't be arsed at the moment to point you to the exact stanza to configure it on Cisco, but it is there. Ditto for others - Nokia, Huawei, Ericsson. You can even load this as a policy in PCRF.
It is not originally intended for this particular purpose though. As a feature it was designed for implementing pay-as-you-go top-up portals. It quite clearly works for other stuff too.
Re: (Score:3)
He had a good blue browser but a red team network connection. On his first web request over the network, the network replaces the HTML file with the desired HTML plus a rootkit install. Checkmate for the red team.
Basically, if any site can expose you to a takeover script, this network can use that bug on first contact.
VPN would keep the URL request secret from the local WiFi network... but that annoying "Please accept our terms of service" redirect could have a rootkit in the page.
Re:That's ungood (Score:5, Insightful)
Can't be *that* good of a browser if it allowed scripting on a random website to install a rootkit. Or that good of an OS for that matter.
Back in the 80s and early 90s you could maybe excuse that kind of sloppiness, we hadn't quite gotten acclimated to the idea that the internet meant a few bad apples anywhere in the world could attack everyone else. But it's been happening for 30 years now, either get on the ball, or get out of the browser business.
Re: (Score:2)
When your adversary is a government, you can assume that they have access to 0-day-exploits for virtually all browsers.
Re: (Score:2)
Can't be *that* good of a browser if it allowed scripting on a random website to install a rootkit. Or that good of an OS for that matter.
Back in the 80s and early 90s you could maybe excuse that kind of sloppiness, we hadn't quite gotten acclimated to the idea that the internet meant a few bad apples anywhere in the world could attack everyone else. But it's been happening for 30 years now, either get on the ball, or get out of the browser business.
Do you really believe any other combination of browser/OS is safe? The exploit surface has *nothing* to do with the one we had in the 80s. There's just too much stuff to secure, it isn't feasible, at least not while being competitive.
Since most users will buy the new shiny thing, no matter how secure, there just isn't a market for a secure OS. Or browser.
Re: (Score:2)
Apple product.
Re: (Score:2)
Is it?
Yes, it is.
-
Why does "GET URL HTTP/1.1" result in a hacked OS? Is the browser so vulnerable?
Apparently.
-
Or are the low-level OS routines for network access so vulnerable?
Why not both?
Re: (Score:2)
Of course browsers are vulnerable. Just think how much complexity is present in a browser. A highly complicated layout engine, parsers and renderers for many types of image and a few types of font, handlers for all the order-switching and character-combining of unicode, a javascript execution engine and likely one for Wasm too, encryption and credential storage - the sheer size of a browser is a guarantee that, somewhere in all that, there will be vulnerabilities.
Re: That's ungood (Score:2)
Re: (Score:3)
What seems a bit strange to me is that these attacks have been going on for quite a while. You'd think that such a serious weakness in the browser would have been plugged by now.
Re: (Score:2)
It would have helped against the cell phone company or ISP redirecting the HTTP request to the malicious website, but you're still vulnerable if you are tricked into visiting that website yourself, VPN or no.
What seems a bit strange to me is that these attacks have been going on for quite a while. You'd think that such a serious weakness in the browser would have been plugged by now.
That's assuming there is a practical way to "plug" this. Do we know that for sure?
Re: (Score:2)
Re: That's ungood (Score:1)
Or avoid ancient Android systems if you're worried about privacy.
Re: That's ungood (Score:5, Informative)
"The iPhone that Moroccan journalist Omar Radi used..."
Re: (Score:2)
Re:That's ungood (Score:5, Interesting)
Yes, it is. But it was 4 years ago in 2016, and Apple released a patch for iOS not long thereafter. Lesson learnt, you would hope.
What is truly horrifying is then ithappened again [wired.com], in 2019. For reasons I don't understand this didn't cause a huge uproar in western social media. Maybe because it was China targeting Uygur muslems, so it was "them" being got, not "us". Apple downplayed for that reason, saying The sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ... the hacked websites used to exploit the vulnerabilities numbered fewer than a dozen and mainly featured content related to the Uyghur community, a predominantly Muslim ethnic group from China's western Xinjiang region [kimt.com]. So that's OK then.
But to me Apple fucking it up twice in 3 years to that extent is indeed horrifying, and it was the second one rather than this one that drove the point home.
What (Score:5, Funny)
We argued that those redirects were symptomatic of network injection attacks which manipulated unencrypted web traffic in order to force Maati Monjib’s browser to visit an exploitation site, located at the domain free247downloads[.]com, without his knowledge.
That's a clear violation of GDPR. They need to post a consent popup before continuing with an injection attack. Infiltration without consent is illegal, make sure your company is not doing it.
Re:What (Score:5, Funny)
We argued that those redirects were symptomatic of network injection attacks which manipulated unencrypted web traffic in order to force Maati Monjib’s browser to visit an exploitation site, located at the domain free247downloads[.]com, without his knowledge.
That's a clear violation of GDPR. They need to post a consent popup before continuing with an injection attack. Infiltration without consent is illegal, make sure your company is not doing it.
Clippy: It looks like you're trying to get hacked. Would you like help?
Re: (Score:2)
That's a clear violation of GDPR
The Funny part must be that Morocco is in Europe, now...
Magic? (Score:3)
I didn't read TFA, but given how many steps someone has to do before installing non-App store software on their own iPhones, can someone care to describe how exactly this is happening?
Re: (Score:1)
Re: (Score:2)
The idea that a "walled garden" gives you security is a lie. If someone else holds the keys, it's just a jail.
And so you think that Sideloading gives you more security?
Nothing's perfect; but the security track record of iOS vs. Android speaks for itself.
Re: Magic? (Score:4, Insightful)
Re: Magic? (Score:4, Informative)
Re:Magic? (Score:4, Insightful)
I didn't read TFA, but given how many steps someone has to do before installing non-App store software on their own iPhones, can someone care to describe how exactly this is happening?
There is information here we definitely don't have. But given there's a unpatchable bootrom exploit [github.com] available for every iPhone prior to the second-generation SE, and given that Zerodium recently announced it would stop paying for some exploits [slashdot.org] given the sheer number of them currently available, it wouldn't surprise me overmuch to learn that iOS can be compromised remotely without requiring any interaction.
And I say that as an iOS user.
Re: (Score:3)
It's a variation on this, at least in theory: https://en.wikipedia.org/wiki/... [wikipedia.org]
That covers the case that allows someone to see the content sent and received from the phone (assuming that the attacker performing the MITM attack can get a certificate that is trusted by the phone). It doesn't in any way explain how visiting a website (any website, supplied by an attacker or not) can install new software on a client without some sort of authorization prompt. Sure, technically javascript comes down with a web page and is executed, but allowing javascript to make any permanent changes, crea
Re: (Score:3)
1. IMSI catcher-type device spoofs cellphone tower, intercepts browser request, injects payload then redirects to real cellphone tower (NSO make these fake towers)
2. Adversary gains access to network operator. Given that in this case the adversary is the government of the country where the victim resides, and the country is fairly corrupt, that wouldn't seem to be too difficult either.
As a footnote, I don't understand why investigative jo
Re: Magic? (Score:2)
Re: (Score:2)
The adversary is a government. Seems reasonable to me that they'd have access to 0-day-exploits for all common browsers.
Re: (Score:2)
The hard part for the NSO group is actually getting the target to visit the compromised site without attracting the target's suspicion. Morocco a
Re: Magic? (Score:2)
So basically âany web siteâ(TM) actually means âany web site not implementing industry-recommended security practices such as HSTSâ(TM) ?
Re:Magic? (Score:5, Interesting)
That still doesn't explain why visiting a website installs software on an iPhone, something which you're only supposed to be able to do from Apple's own App Store and requires jailbreaking otherwise.
Re: (Score:2)
"how many steps someone has to do" (Score:3)
We don't have any technical details about what, if anything, happened with the guy, just speculation. We can, however, answer how this kind of thing happens in general.
You mentioned "how many steps someone has to do" and that's the key. You see a vulnerability in the browser that lets someone change the appearance of a web page by injecting CSS, and you don't think it's critical because it only chnages the appearance, it doesn't run code from another server or something.
You see another, unrelated, vulnera
Re: (Score:3)
That still doesn't explain why visiting a website installs software on an iPhone, something which you're only supposed to be able to do from Apple's own App Store and requires jailbreaking otherwise.
Because this is obviously happening at a level far below any of the typical "Install an App" calls,
And since it is clearly impractical to checksum the entire OS before and after each and every call, it seems like this type of exploit, which is far beyond the abilities of non-governmental hacking, is unlikely to be quickly detected.
Perhaps iOS (and Android) need to have an always-running, but slow, background process to checksum the OS during idle periods; so that something like this could be caught.
Re: (Score:2)
Re: (Score:1)
The same way any other OS gets hacked...
Priviledge escalation, priviledge hijack, security vulnerabilities. What? You think there are no bugs in iOS? If so, welcome to RDF Anonymous!
Remember, iOS is the only phone where many users WANT a security vulnerability; many in the userbase actively try to break the security of the phone (they call it a jailbreak).
Outside of the Slashdot crowd, iPhone jailbreaking is really kinda rare.
Oh, and Android Users don't "unlock bootloaders" and install Bob-Knows-What OSes?
I have less of an issue with this kind of spying (Score:3)
This is an old problem (Score:3)
Basically if you can control the network immediately upstream of the target, you can control everything the target sees and does. It's the same principle that allows a lot of network security to work: because the security people control the company network they can force all network access to go through the security systems. We normally assume the networks themselves aren't malicious and that we can trust SSL certificates. When dealing with a government, though, those assumptions go out the window. They can compel the network operator to subvert their own network. They can obtain legitimate-seeming SSL certificates for any domain. The only way I know of to guard against this is to use a VPN whose servers are in places any government I'd be worried about can't influence, authenticated by SSL certificates whose fingerprints I can verify by an independent channel and hard-code into my configuration so any impersonation first requires cracking the underlying mathematics of public-key cryptography.
Re: (Score:2)
Basically if you can control the network immediately upstream of the target, you can control everything the target sees and does.
Except this is above and beyond that - this also involved planting malware on the target's iPhone without the target having to take any action at all.
Re: (Score:2)
It did involve one action by the target: visiting a web site. Anyone with control over the immediate upstream network can force that visit to always be to a malicious website that can exploit vulnerabilities to infect the device.
Re: (Score:2)
Re: (Score:2)
What do you mean with "legitimate-seeming"?
HTTP (Score:2)
Either way, the attacker identifies the phone being targeted and waits for that phone to connect to a website over the cellular data network. The website must use “clear text” which means the URL starts with “http” not “https.”
Stop visiting cleartext websites.
Re: (Score:2)
Either way, the attacker identifies the phone being targeted and waits for that phone to connect to a website over the cellular data network. The website must use “clear text” which means the URL starts with “http” not “https.”
Stop visiting cleartext websites.
Excuse me: At the level of government corruption and conspiracy that this obviously took, how does even something like "certificates" help?
Re: HTTP (Score:2)
Re: (Score:2)
Re: (Score:2)
In addition to data encryption, certificates are used to verify identity of sites and establish trust. Is this the site I intended to communicate with, or is it some man in the middle attack that is going to inject a URL to my phone and take over my network?
OK so internets fault How? (Score:2)
Just my 2 cents
Re: (Score:2)
If I had to guess ... maybe he had automatic proxy configuration enabled. This means as soon as he connected to the Internet will his phone first have tried to find a proxy server. Once found will the browser ask the proxy for every webpage visited. This also allows for a Man-In-The-Middle attack to get around HTTPS encryption. You then inject the malware with the first proxy response, and afterwards act like any other proxy server. Again, just a guess, but it fits the description.
Re: OK so internets fault How? (Score:2)
You canâ(TM)t MiTM https unless you can install a fake root cert on the device. HSTS offers even more protection against this.
Re: (Score:1)
No, you can with squid, but that's all I'm going to tell you.
Re: (Score:2)
no. you cannot. not without the browser warning about invalid certificates, unless either you've installed a fake root cert on the device, or there's some browser bug that doesn't show these cert errors.
Re: (Score:2)
I think it might be helpful to differentiate between MITM intervention in a HTTPS connection, something you can do with Squid, and hiding from a third party whose browser you do not control that you have done that. Something I believe Squid does not help with.
You're welcome to point out the specific paragraphs in the manual that state otherwise, but I'm not going trawling through Squid documentation for something I don't think exists.
Re: (Score:2)
That's interesting. I invite you to provide a reference to the manual that you assured us has the answers and instead you start talking about certificates.
This isn't helping your credibility.
Re: (Score:2)
That's interesting. ...
No, it's not. You're just being miserable, because you first needed an explanation from me and were too stupid to figure it out for yourself. Where is your credibility?
Re: (Score:2)
My credibility lies in that I'm not making wild unsupported claims and blaming others for being stupid while unable to provide the very reference my claim relies on.
Your credibility lies in tatters because you're making a wild unsupported claim and can't back it up under challenge, and so are having to call someone else stupid in an attempt to avoid the question.
Nice going.
Re: (Score:2)
No, you don't have any credibility. You're a snowflake on the Internet. You only wish you had, but neither of us does. Only I'm more aware of what I'm doing than you. Look at your own comments now. You started making it personal by trying to appeal at my sense of credibility, and look where we are now? I'm happy to talk with you all day, even when it's off-topic. You think that's nice going? No, it isn't.
Re: (Score:2)
Still waiting for that manual reference.
Still waiting.
And waiting.
No? An admission that you were wrong would suffice.
Re: (Score:2)
You keep waiting and keep telling yourself whatever you want, but I'm not wrong here.
Re: (Score:2)
You keep telling us you're not wrong.
You keep failing to provide evidence.
Enjoy being wrong. I'm not reading further replies.
Re: (Score:2)
You keep telling us you're not wrong.
You keep failing to provide evidence.
Enjoy being wrong. I'm not reading further replies.
I enjoy myself very much. Nothing wrong about that. Nor do I need to provide you with manuals when those are online. All the information has been given, and you're just being miserable, because you keep thinking people had to serve you. They don't. Bye-bye!
Re: OK so internets fault How? (Score:2)
The squid manual explicitly states that you need to install a CA in the browser to allow this, something that I explicitly called out above.
Re: (Score:2)
Call out as much as you like, why would I care? I said I don't want to tell you more, because it doesn't do you any good.
But I will help you out a little (next just google it). Open your browser, go into the security settings and see if you can find any certificates. You should find a few that come as default. Then remember what I've said above... You should possibly find a hundred or so and governments do have access to some of these (or so it's believed, no official confirmation has so far been given). No
And this is why . . . (Score:2)
You should keep all your personal information on your cell phone. Every contact, every bank account, every payment option, every everything. It makes it so much easier for a government to figure out who you are and to track what you do.
Forget cash. Cash is dead. Digital is the only way to go.
Re: (Score:2)
Well, it's more secure than using a PC for those things...
Bullshit. (Score:2)
Website redirected? Downloaded? Executed? Given root permissions?
None of those things are possible automatically, unless the following things are the case:
1.The user left random TLS root certificates (e.g. from his government's CA) on his device.
2. You mean downloaded a in HTTP GET reply, not as in saved to permanent storage.
3. There is a severe bug in the browser since an insecure/old browser was used
4. There is a severe bug in the OS for the same reasons.
All of these are things that don't fit the "trained
Re: (Score:3)
None of those things are possible automatically
You forgot the "As far as I know," at the beginning of that sentence.
Big difference.
Re: (Score:3)
On your list 1 isn't required, and 2 misunderstands the attack.
3 and 4 are both making a bad assumption.
The GET request is intercepted and a response injected that the current modern up to date browser attempts to interpret. Sadly there remain bugs that can be exploited, and the response was structured to exploit one such bug, leading to execution of code (within the browser or otherwise, I don't know) to download something that exploits another bug in the current modern fully patched operating system to in
otherwise known as a "man in the middle" attack (Score:2)
Not a new attack--this is something that states have been capable of for years. In many cases, you can be hit with it with TLS secured sites as well, as states own signing certificates that can be used to emulate any site in the world, and are trusted by browsers. https://www.fastcompany.com/3042030/the-huge-web-security-loophole-that-most-people-dont-know-about-and-how-its-be
This is what is meant by ... (Score:2)
government only back-doors to things. Come on ... us governments are the good guys, you can trust us to look after 'best interests'.
Only thing is that the "best interests" are those of the officials/kings/dictators/... not those of the common man.
Where's The Vulerability? (Score:1)
A website man in the middle attack can't in and of itself root an iPhone. Stop focusing on the cellular network and the man in the middle.
The only question of any importance here is; what vulnerability did they exploit to root an iPhone? It sounds like a Safari vulnerability.
What is the Safari vulnerability, this time?
See why I don't like or want a 'smartphone'? (Score:2)
"Oh but Rick, why would anyone want to spy on you? Are you so interesting and important that you should be spied on?"
Hardly the point. It can be done, and, apparently, with relative ease. Therefore: The hell with 'smartphones'.
Try hacking my $40 plastic dumbphone. It's not even on most of the time.
Wean yourself off smartphones. You don't need them anywhere near as much as you think you do.
Re: (Score:2)
Wean yourself off smartphones. You don't need them anywhere near as much as you think you do.
Yes, yes, fine, old-timer. I'm sure you carry a full tower Linux desktop everywhere you go. This must save so much time working out at the gym.
Try having someone a bit younger show you the utility of carrying a supercomputer map encyclopedia jukebox camera recorder TV, sometime. It turns out they can even be used as phones, if that amuses you.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes, yes, fine, old-timer. I'm sure you carry a full tower Linux desktop everywhere you go.
As it happens, I do own a smartphone with a full linux desktop on it.
Re: (Score:2)
Re: (Score:2)
Try hacking my $40 plastic dumbphone. It's not even on most of the time.
It's also getting even less updates than the average cheap Android phone, but it still has an entire operating system there under the phone functionality. Your sense of security is misplaced.
Re: (Score:2)
Re: (Score:2)
It has no internet access. I made sure of that. It has no working GPS, I shorted the antenna to ground.
You call that secure?
My pair of tin cans with a string between them is way more secure than your poncy dumb-phone!
Re: (Score:2)
Where's it at? (Score:2)
Where's the Any website? http://any.com/ [any.com] ?
How can you tell if you've been hacked? (Score:2)
Is there a simple tell?
Re: (Score:2)
TL;DR - 'stingray' or access to mobile operator (Score:3)
From TFA: "This type of attack is possible using two techniques: deploying a device commonly referred to as a âoerogue cell towerâ, âoeIMSI Catcherâ or âoestingrayâ, or by leveraging access to the mobile operatorâ(TM)s internal infrastructure. It is currently unclear which of these two options have been used against Omar and Maati."
So this can be done by any government or agency with the equipment. There aren't many countermeasures really: https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
How does a VPN help exactly if the opposition has a control of the device?
Re:Again (Score:5, Insightful)
"How does a VPN help exactly if the opposition has a control of the device?"
Network injection doesn't work on an encrypted VPN connection.
Re: (Score:1)
He wouldn't have gotten spyware on his phone if he had been using a VPN the whole time. The initial infection was (allegedly) because his unencrypted cell connection got hijacked.
Why Encryption Use Is Problematical... (Score:3)
... When Advocating For Social Change (something I wrote in 2015) https://pdfernhout.net/why-enc... [pdfernhout.net]
"... Hardware may be compromised during production at various levels (chips, assemblies like memory or disk drives or batteries, lowest level BIOS). Cell phones in particular are vulnerable to this because they generally have a separate processor for interfacing with the cell phone network that is often proprietary. The separate cell phone processor may also update on its own schedule independent of user contr
Re: (Score:2)
Re: (Score:2)
OK I got a clean iPhone. How do I get a VPN app on it? I'm guessing the App store probably uses http/https. If the reporter had the knowledge and know how to jailbreak the phone and manually side load apps then this would not have happened.
The reality is that you probably need a preconfigured clean phone with VPN to have any chance of keeping it protected.
Re: Again (Score:2)
Skip the app. IOS and Android have native VPN support.
Re: (Score:2)
Fair enough. However, I will still need another device or some information ahead of time like VPN server or maybe a certificate. The reality is that in a situation like we are discussing you have to be very very careful which is beyond most normal people's understanding and capabilities.
Re: (Score:2)
Algeria?
Spain, via courier?
By buying a phone you can wipe and replace the firmware on, then downloading firmware from a trusted source?
Is it as easy as popping into your local medina and picking up something there? No, but if you aren't willing to put some effort into being secure, you won't be.
Re: (Score:3)
Re: (Score:2)