Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Security Cellphones Government The Internet The Media

Journalist's Phone Hacked: All He Had To Do Was Visit a Website. Any Website. (thestar.com) 123

The iPhone that Moroccan journalist Omar Radi used to contact his sources also allowed his government to spy on him (and at least two other journalists), reports the Toronto Star, citing new research from Amnesty International.

A Slashdot reader shares their report: Their government could read every email, text and website visited; listen to every phone call and watch every video conference; download calendar entries, monitor GPS coordinates, and even turn on the camera and microphone to see and hear where the phone was at any moment.

Yet Radi was trained in encryption and cyber security. He hadn't clicked on any suspicious links and didn't have any missed calls on WhatsApp — both well-documented ways a cell phone can be hacked. Instead, a report published Monday by Amnesty International shows Radi was targeted by a new and frighteningly stealthy technique. All he had to do was visit one website. Any website.

Forensic evidence gathered by Amnesty International on Radi's phone shows that it was infected by "network injection," a fully automated method where an attacker intercepts a cellular signal when it makes a request to visit a website. In milliseconds, the web browser is diverted to a malicious site and spyware code is downloaded that allows remote access to everything on the phone. The browser then redirects to the intended website and the user is none the wiser.

Two more human rights advocates in Morocco have been targeted by the same malware, the article reports.
This discussion has been archived. No new comments can be posted.

Journalist's Phone Hacked: All He Had To Do Was Visit a Website. Any Website.

Comments Filter:
  • That's ungood (Score:5, Insightful)

    by JustAnotherOldGuy ( 4145623 ) on Saturday June 27, 2020 @03:49PM (#60235634) Journal

    Forensic evidence gathered by Amnesty International on Radi's phone shows that it was infected by "network injection," a fully automated method where an attacker intercepts a cellular signal when it makes a request to visit a website. In milliseconds, the web browser is diverted to a malicious site and spyware code is downloaded that allows remote access to everything on the phone. The browser then redirects to the intended website and the user is none the wiser.

    Okay, that's pretty fucking horrifying.

    Maybe it's time to go back to a flip phone.

    • Re:That's ungood (Score:5, Insightful)

      by rastos1 ( 601318 ) on Saturday June 27, 2020 @03:56PM (#60235652)

      the web browser is diverted to a malicious site and spyware code is downloaded that allows remote access to everything on the phone

      Okay, that's pretty fucking horrifying.

      Is it? Why does "GET URL HTTP/1.1" result in a hacked OS? Is the browser so vulnerable? Or are the low-level OS routines for network access so vulnerable? I hope, that is not the case.

      • Re:That's ungood (Score:5, Informative)

        by phantomfive ( 622387 ) on Saturday June 27, 2020 @04:10PM (#60235676) Journal

        Is the browser so vulnerable?

        Yes.

        Low-level iOS isn't particularly secure, but it looks like in this case the injection happened when he went to an http site, not an https site. Then the cell tower rewrote the response to redirect the browser to a website with an exploit.

        Note that it could have just injected the exploit directly, but separation of concerns. They wanted to use good software engineering.

        • Re:That's ungood (Score:5, Informative)

          by kot-begemot-uk ( 6104030 ) on Saturday June 27, 2020 @04:36PM (#60235758) Homepage

          Note that it could have just injected the exploit directly, but separation of concerns. They wanted to use good software engineering.

          No, they just used an off-the-shelf feature present in most mobile network kit. Nearly any GGSN worth of its name (and its 4G offspring) are perfectly capable of this feat and perfectly capable of doing it per user. I can't be arsed at the moment to point you to the exact stanza to configure it on Cisco, but it is there. Ditto for others - Nokia, Huawei, Ericsson. You can even load this as a policy in PCRF.

          It is not originally intended for this particular purpose though. As a feature it was designed for implementing pay-as-you-go top-up portals. It quite clearly works for other stuff too.

      • He had a good blue browser but a red team network connection. On his first web request over the network, the network replaces the HTML file with the desired HTML plus a rootkit install. Checkmate for the red team.

        Basically, if any site can expose you to a takeover script, this network can use that bug on first contact.

        VPN would keep the URL request secret from the local WiFi network... but that annoying "Please accept our terms of service" redirect could have a rootkit in the page.

        • Re:That's ungood (Score:5, Insightful)

          by Immerman ( 2627577 ) on Saturday June 27, 2020 @10:03PM (#60236444)

          Can't be *that* good of a browser if it allowed scripting on a random website to install a rootkit. Or that good of an OS for that matter.

          Back in the 80s and early 90s you could maybe excuse that kind of sloppiness, we hadn't quite gotten acclimated to the idea that the internet meant a few bad apples anywhere in the world could attack everyone else. But it's been happening for 30 years now, either get on the ball, or get out of the browser business.

          • by spth ( 5126797 )

            When your adversary is a government, you can assume that they have access to 0-day-exploits for virtually all browsers.

          • by Pieroxy ( 222434 )

            Can't be *that* good of a browser if it allowed scripting on a random website to install a rootkit. Or that good of an OS for that matter.

            Back in the 80s and early 90s you could maybe excuse that kind of sloppiness, we hadn't quite gotten acclimated to the idea that the internet meant a few bad apples anywhere in the world could attack everyone else. But it's been happening for 30 years now, either get on the ball, or get out of the browser business.

            Do you really believe any other combination of browser/OS is safe? The exploit surface has *nothing* to do with the one we had in the 80s. There's just too much stuff to secure, it isn't feasible, at least not while being competitive.

            Since most users will buy the new shiny thing, no matter how secure, there just isn't a market for a secure OS. Or browser.

      • Apple product.

      • Is it?

        Yes, it is.

        -

        Why does "GET URL HTTP/1.1" result in a hacked OS? Is the browser so vulnerable?

        Apparently.

        -

        Or are the low-level OS routines for network access so vulnerable?

        Why not both?

      • Of course browsers are vulnerable. Just think how much complexity is present in a browser. A highly complicated layout engine, parsers and renderers for many types of image and a few types of font, handlers for all the order-switching and character-combining of unicode, a javascript execution engine and likely one for Wasm too, encryption and credential storage - the sheer size of a browser is a guarantee that, somewhere in all that, there will be vulnerabilities.

    • Yeah, I wonder if a permanent VPN would have helped. But I agree that this is pretty terrifying.
      • It would have helped against the cell phone company or ISP redirecting the HTTP request to the malicious website, but you're still vulnerable if you are tricked into visiting that website yourself, VPN or no.

        What seems a bit strange to me is that these attacks have been going on for quite a while. You'd think that such a serious weakness in the browser would have been plugged by now.
        • It would have helped against the cell phone company or ISP redirecting the HTTP request to the malicious website, but you're still vulnerable if you are tricked into visiting that website yourself, VPN or no.

          What seems a bit strange to me is that these attacks have been going on for quite a while. You'd think that such a serious weakness in the browser would have been plugged by now.

          That's assuming there is a practical way to "plug" this. Do we know that for sure?

        • The intelligence agencies have a lot of motivation to ensure the holes stay open.
    • Or avoid ancient Android systems if you're worried about privacy.

    • Its not really that new of a concept to attack a phone like this. YiSpector infected iPhones pretty much this way, this just made it a little more targeted.
    • Re:That's ungood (Score:5, Interesting)

      by ras ( 84108 ) <russell+slashdot ... au minus painter> on Saturday June 27, 2020 @11:45PM (#60236644) Homepage

      Okay, that's pretty fucking horrifying.

      Yes, it is. But it was 4 years ago in 2016, and Apple released a patch for iOS not long thereafter. Lesson learnt, you would hope.

      What is truly horrifying is then ithappened again [wired.com], in 2019. For reasons I don't understand this didn't cause a huge uproar in western social media. Maybe because it was China targeting Uygur muslems, so it was "them" being got, not "us". Apple downplayed for that reason, saying The sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ... the hacked websites used to exploit the vulnerabilities numbered fewer than a dozen and mainly featured content related to the Uyghur community, a predominantly Muslim ethnic group from China's western Xinjiang region [kimt.com]. So that's OK then.

      But to me Apple fucking it up twice in 3 years to that extent is indeed horrifying, and it was the second one rather than this one that drove the point home.

  • What (Score:5, Funny)

    by phantomfive ( 622387 ) on Saturday June 27, 2020 @03:49PM (#60235638) Journal

    We argued that those redirects were symptomatic of network injection attacks which manipulated unencrypted web traffic in order to force Maati Monjib’s browser to visit an exploitation site, located at the domain free247downloads[.]com, without his knowledge.

    That's a clear violation of GDPR. They need to post a consent popup before continuing with an injection attack. Infiltration without consent is illegal, make sure your company is not doing it.

    • Re:What (Score:5, Funny)

      by fahrbot-bot ( 874524 ) on Saturday June 27, 2020 @04:07PM (#60235670)

      We argued that those redirects were symptomatic of network injection attacks which manipulated unencrypted web traffic in order to force Maati Monjib’s browser to visit an exploitation site, located at the domain free247downloads[.]com, without his knowledge.

      That's a clear violation of GDPR. They need to post a consent popup before continuing with an injection attack. Infiltration without consent is illegal, make sure your company is not doing it.

      Clippy: It looks like you're trying to get hacked. Would you like help?

      • [x] Get help getting hacked.
      • [ ] Just get hacked without help.
      • [ ] Don't show this again.
    • That's a clear violation of GDPR

      The Funny part must be that Morocco is in Europe, now...

  • by DontBeAMoran ( 4843879 ) on Saturday June 27, 2020 @03:53PM (#60235644)

    In milliseconds, the web browser is diverted to a malicious site and spyware code is downloaded that allows remote access to everything on the phone.

    I didn't read TFA, but given how many steps someone has to do before installing non-App store software on their own iPhones, can someone care to describe how exactly this is happening?

    • The idea that a "walled garden" gives you security is a lie. If someone else holds the keys, it's just a jail.
      • The idea that a "walled garden" gives you security is a lie. If someone else holds the keys, it's just a jail.

        And so you think that Sideloading gives you more security?

        Nothing's perfect; but the security track record of iOS vs. Android speaks for itself.

      • Re: Magic? (Score:4, Informative)

        by sectokia ( 3999401 ) on Saturday June 27, 2020 @07:56PM (#60236194)
        He was using a 10 year old not patched jail broken iphone..... Utter no one seems to mention that part.
    • Re:Magic? (Score:4, Insightful)

      by 93 Escort Wagon ( 326346 ) on Saturday June 27, 2020 @05:00PM (#60235802)

      I didn't read TFA, but given how many steps someone has to do before installing non-App store software on their own iPhones, can someone care to describe how exactly this is happening?

      There is information here we definitely don't have. But given there's a unpatchable bootrom exploit [github.com] available for every iPhone prior to the second-generation SE, and given that Zerodium recently announced it would stop paying for some exploits [slashdot.org] given the sheer number of them currently available, it wouldn't surprise me overmuch to learn that iOS can be compromised remotely without requiring any interaction.

      And I say that as an iOS user.

  • This is the sort of thing which requires active collaboration between government, corporations, and techs on the end of the chain for every case in which it's used with current tech. That's a lot of checks and balances on the system wherein anyone who doesn't agree with it can easily override it and just go "whoops, didn't work." That's the same thing which makes real police better in every way to automated bots tasked with policing: it's not possible for one corrupt person to exploit it in secret at the scale of a nation or even a particular party if the bulk of a given society is redeemable. It's the broad spectrum/blanket stuff that's the real issue, because that's not used to track actual criminals, it's used, the moment it's employed in any form of analytic operation (from the level of a SQL-competent person running an grouping/aggregate query on up) it becomes a tool for policy planning to meet objectives outside of that role. The real danger is when the tools exist to say "we want to reach this outcome, so we can employ this set of policies" - politicians have been trying to control people in that manner and failing every which way, but that sort of data-based would be an instant recipe for a totalitarian regime.
  • by Todd Knarr ( 15451 ) on Saturday June 27, 2020 @04:24PM (#60235714) Homepage

    Basically if you can control the network immediately upstream of the target, you can control everything the target sees and does. It's the same principle that allows a lot of network security to work: because the security people control the company network they can force all network access to go through the security systems. We normally assume the networks themselves aren't malicious and that we can trust SSL certificates. When dealing with a government, though, those assumptions go out the window. They can compel the network operator to subvert their own network. They can obtain legitimate-seeming SSL certificates for any domain. The only way I know of to guard against this is to use a VPN whose servers are in places any government I'd be worried about can't influence, authenticated by SSL certificates whose fingerprints I can verify by an independent channel and hard-code into my configuration so any impersonation first requires cracking the underlying mathematics of public-key cryptography.

    • Basically if you can control the network immediately upstream of the target, you can control everything the target sees and does.

      Except this is above and beyond that - this also involved planting malware on the target's iPhone without the target having to take any action at all.

      • It did involve one action by the target: visiting a web site. Anyone with control over the immediate upstream network can force that visit to always be to a malicious website that can exploit vulnerabilities to infect the device.

    • by tero ( 39203 )

      They can obtain legitimate-seeming SSL certificates for any domain.

      What do you mean with "legitimate-seeming"?

  • Either way, the attacker identifies the phone being targeted and waits for that phone to connect to a website over the cellular data network. The website must use “clear text” which means the URL starts with “http” not “https.”

    Stop visiting cleartext websites.

    • Either way, the attacker identifies the phone being targeted and waits for that phone to connect to a website over the cellular data network. The website must use “clear text” which means the URL starts with “http” not “https.”

      Stop visiting cleartext websites.

      Excuse me: At the level of government corruption and conspiracy that this obviously took, how does even something like "certificates" help?

      • With http, if you request site xyz, you can get back _anything_. If you use https, your browser will only accept a reply with a valid xyz certificate. To provide that, youâ(TM)d have to control a root certificate. If you could do that, the root certificate would be killed a second later by Apple and Google. And you donâ(TM)t think Morocco can bribe apple and Google?
        • That root certificate would only be killed a second later if it was widely used so that Apple and Google would find out, not if they only used it this single time for this directed attack.
      • In addition to data encryption, certificates are used to verify identity of sites and establish trust. Is this the site I intended to communicate with, or is it some man in the middle attack that is going to inject a URL to my phone and take over my network?

  • "a fully automated method where an attacker intercepts a cellular signal"

    Just my 2 cents ;)
    • If I had to guess ... maybe he had automatic proxy configuration enabled. This means as soon as he connected to the Internet will his phone first have tried to find a proxy server. Once found will the browser ask the proxy for every webpage visited. This also allows for a Man-In-The-Middle attack to get around HTTPS encryption. You then inject the malware with the first proxy response, and afterwards act like any other proxy server. Again, just a guess, but it fits the description.

      • You canâ(TM)t MiTM https unless you can install a fake root cert on the device. HSTS offers even more protection against this.

        • No, you can with squid, but that's all I'm going to tell you.

          • no. you cannot. not without the browser warning about invalid certificates, unless either you've installed a fake root cert on the device, or there's some browser bug that doesn't show these cert errors.

  • You should keep all your personal information on your cell phone. Every contact, every bank account, every payment option, every everything. It makes it so much easier for a government to figure out who you are and to track what you do.

    Forget cash. Cash is dead. Digital is the only way to go.

  • Website redirected? Downloaded? Executed? Given root permissions?
    None of those things are possible automatically, unless the following things are the case:

    1.The user left random TLS root certificates (e.g. from his government's CA) on his device.
    2. You mean downloaded a in HTTP GET reply, not as in saved to permanent storage.
    3. There is a severe bug in the browser since an insecure/old browser was used
    4. There is a severe bug in the OS for the same reasons.

    All of these are things that don't fit the "trained

    • None of those things are possible automatically

      You forgot the "As far as I know," at the beginning of that sentence.

      Big difference.

    • by Cederic ( 9623 )

      On your list 1 isn't required, and 2 misunderstands the attack.

      3 and 4 are both making a bad assumption.

      The GET request is intercepted and a response injected that the current modern up to date browser attempts to interpret. Sadly there remain bugs that can be exploited, and the response was structured to exploit one such bug, leading to execution of code (within the browser or otherwise, I don't know) to download something that exploits another bug in the current modern fully patched operating system to in

  • Not a new attack--this is something that states have been capable of for years. In many cases, you can be hit with it with TLS secured sites as well, as states own signing certificates that can be used to emulate any site in the world, and are trusted by browsers. https://www.fastcompany.com/3042030/the-huge-web-security-loophole-that-most-people-dont-know-about-and-how-its-be

  • government only back-doors to things. Come on ... us governments are the good guys, you can trust us to look after 'best interests'.

    Only thing is that the "best interests" are those of the officials/kings/dictators/... not those of the common man.

  • A website man in the middle attack can't in and of itself root an iPhone. Stop focusing on the cellular network and the man in the middle.

    The only question of any importance here is; what vulnerability did they exploit to root an iPhone? It sounds like a Safari vulnerability.

    What is the Safari vulnerability, this time?

  • This. Exactly, precisely this sort of shit. "Just one website", it says.
    "Oh but Rick, why would anyone want to spy on you? Are you so interesting and important that you should be spied on?"
    Hardly the point. It can be done, and, apparently, with relative ease. Therefore: The hell with 'smartphones'.
    Try hacking my $40 plastic dumbphone. It's not even on most of the time.

    Wean yourself off smartphones. You don't need them anywhere near as much as you think you do.
    • Wean yourself off smartphones. You don't need them anywhere near as much as you think you do.

      Yes, yes, fine, old-timer. I'm sure you carry a full tower Linux desktop everywhere you go. This must save so much time working out at the gym.

      Try having someone a bit younger show you the utility of carrying a supercomputer map encyclopedia jukebox camera recorder TV, sometime. It turns out they can even be used as phones, if that amuses you.

      • Shut up. You're one of those morons that walk into walls because you've got your eyes glued to your fucking phone because you're addicted to Facebook and/or Twitter and/or whatever other useless shit you use it for, and your fake-ass righteous indignation and patronizing attitude pretty much confirm all that. You're embarassed by how much you're addicted to your fucking phone and probably feel like you're going to pee your pants at the thought of not having it anymore. So of course you run your mouth at me.
      • Oh and I almost forgot: Enjoy having everything you do and say be monitored, and everywhere you go with the thing tracked and logged. Loser.
      • by Cederic ( 9623 )

        Yes, yes, fine, old-timer. I'm sure you carry a full tower Linux desktop everywhere you go.

        As it happens, I do own a smartphone with a full linux desktop on it.

        • The whole idea of a 'smartphone' wasn't a bad one to start with, but like way too many things once Corporate America got it's hands on it, they twisted it into something obscene and useless. If they were just mobile computing platforms with wireless internet access that the end user actually had control over, that just so happened was also a cellular telephone, then it would have been great: install whatever OS you want on it, whatever software you want on it, totally secure and lock it down yourself if tha
    • Try hacking my $40 plastic dumbphone. It's not even on most of the time.

      It's also getting even less updates than the average cheap Android phone, but it still has an entire operating system there under the phone functionality. Your sense of security is misplaced.

      • It has no internet access. I made sure of that. It has no working GPS, I shorted the antenna to ground. I has no free memory to speak of. It's TURNED OFF most of the time anyway, unless I'm actually using it as a phone. So you tell me how it can be 'compromised', especially in the way TFA describes? Shut up.
        • It has no internet access. I made sure of that. It has no working GPS, I shorted the antenna to ground.

          You call that secure?
          My pair of tin cans with a string between them is way more secure than your poncy dumb-phone!

  • Where's the Any website? http://any.com/ [any.com] ?

  • Is there a simple tell?

    • Virginia, the short answer is NO. Networks don't do their job, the operating system does not do its job, AV products don't do their job, and certificates are now worthless. Checking latency is another tell - something to watch. The lesson is mobile phones are not to be trusted. Ask a German Chancellor - anything goes. Use a regular laptop and boot with a non-nonsense thin image from usb or cdrom, and one stresses - with a NON-STANDARD double hop VPN arrangement, or wireguard. In addition add a network snif
  • by fygment ( 444210 ) on Sunday June 28, 2020 @02:13PM (#60238778)

    From TFA: "This type of attack is possible using two techniques: deploying a device commonly referred to as a âoerogue cell towerâ, âoeIMSI Catcherâ or âoestingrayâ, or by leveraging access to the mobile operatorâ(TM)s internal infrastructure. It is currently unclear which of these two options have been used against Omar and Maati."

    So this can be done by any government or agency with the equipment. There aren't many countermeasures really: https://en.wikipedia.org/wiki/... [wikipedia.org]

Genius is ten percent inspiration and fifty percent capital gains.

Working...