Journalist’s phone hacked by new ‘invisible’ technique: All he had to do was visit one website. Any website. | The Star
<https://www.thestar.com/news/canada/2020/06/21/journalists-phone-hacked-by-n...> The white iPhone with chipped paint that Moroccan journalist Omar Radi used to stay in contact with his sources also allowed his government to spy on him. They could read every email, text and website visited; listen to every phone call and watch every video conference; download calendar entries, monitor GPS coordinates, and even turn on the camera and microphone to see and hear where the phone was at any moment. Yet Radi was trained in encryption and cyber security. He hadn’t clicked on any suspicious links and didn’t have any missed calls on WhatsApp — both well-documented ways a cell phone can be hacked. Instead, a report published Monday by Amnesty International shows Radi was targeted by a new and frighteningly stealthy technique. All he had to do was visit one website. Any website. Forensic evidence gathered by Amnesty International on Radi’s phone shows that it was infected by “network injection,” a fully automated method where an attacker intercepts a cellular signal when it makes a request to visit a website. In milliseconds, the web browser is diverted to a malicious site and spyware code is downloaded that allows remote access to everything on the phone. The browser then redirects to the intended website and the user is none the wiser. [...] Link a reporter di Amnesty: <https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targe...>
Ciao Alberto, la notizia a ben vedere è del... 2016 :-O (cioè è una riedizione di situazioni analoghe dell'epoca) Alberto Cammozzo via nexa <nexa@server-nexa.polito.it> writes:
<https://www.thestar.com/news/canada/2020/06/21/journalists-phone-hacked-by-n...>
The white iPhone
[...]
Yet Radi was trained in encryption and cyber security.
Ora, con tutto il rispetto: era formato in cyber security e usava un iPhone per le sue comunicazioni delicate?!? ...per giunta probabilmente non aggiornato? Ho letto rapidamente il report di Amnesty International [1]: --8<---------------cut here---------------start------------->8--- These messages, described as “Enhanced Social Engineering Message(s)“ (ESEM) in leaked NSO Group‘s documentation, attempt to lure victims to click on the contained link, which would then trigger an attempt of exploitation of the phone and the consequent silent installation of the Pegasus spyware on the device. --8<---------------cut here---------------end--------------->8--- Pagasus [2] è noto dal 2016, la versione 9.3.5 di iOS risolve (dovrebbe) le vulnerabilità che lo spyware sfrutta; la storia nel 2016 fece molto rumore all'epoca (riferimenti nell'articolo su Wikipedia) e rivelò che probabilmente la vulnerabilità e i relativi exploit erano in circolazione fin da iOS 7. Le vulnerabilità, note dal 2016, sono: --8<---------------cut here---------------start------------->8--- * CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing them to calculate the kernel's location in memory. * CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to secretly jailbreak the device and install surveillance software - details in reference.[18] * CVE-2016-4657: Memory corruption in the Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link. --8<---------------cut here---------------end--------------->8--- Non è chiaro affatto quali siano le vulerabilità per le quali Pegasus può (potrebbe?) compromettere anche Android. Sono perplesso. Saluti, Giovanni. [...] P.S.: con un telefono Android stock non aggiornato e applicazioni proprietarie non sarebbe cambiato molto. [1] https://www.amnesty.org/en/latest/research/2019/10/Morocco-Human-Rights-Defe... [2] https://en.wikipedia.org/wiki/Pegasus_(spyware) -- Giovanni Biscuolo
participants (2)
-
Alberto Cammozzo -
Giovanni Biscuolo