Again a buffer overflow in image decoding, that sounds similar to the one from 2021 [1]. That one was wild, building a CPU out of primitives offered by an arcane image compression format embedded in pdf, to be able to do enough arithmetic to further escalate to arbitrary code execution!
And a much older bug with TIF rendering in iOS 4 used by jailbreakme.com back in the day. It was wonderful pressing a button in Safari and suddenly seeing my iPod touch reboot with Cydia installed.
This is the frustrating part: that is cool from a technical perspective but terrifying when you think about this stuff being used to target journalists, activists, etc. Maybe not everyone gets the bone saw but some will - and from the sounds of it it’s people standing up to abusive people:
> Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.
The interesting thing is that, as the article states, Lockdown Mode, which is intended for users with exactly that kind of risk profile, does in fact prevent this attack.
the more interesting thing is why the default state has to be made vulnerable in the first place instead of just making lockdown the default method of using an apple device
The even more interesting thing is that all functionality increases the attack surface and therefore makes all devices more vulnerable. The most secure state is not to have the device at all or, failing that, to have it permanently turned off. This is true of every device, not just apple.
The reason people possess devices is to use functionality and therefore they have to make some tradeoffs in terms of security. The default state is what apple currently think is the best tradeoff in terms of risk vs functionality for most people. For people with an extremely unusual threat profile it stands to reason a different tradeoff might be appropriate.
That said, they do give a lot of granular control to the user to turn off individual functions if the user feels differently and wants to change their stance eg iMessage can be disabled with a switch in settings.
In Safari, yes, losing the JavaScript JIT is hefty but I’d somewhat cynically argue that it’s probably balanced out performance-wise if you install an ad blocker.
Honestly I find it a little reassuring that these are the lenghts you have to go to find a reproducible exploit. Granted the failure mode is not great…
Yeah, it’s been too slow but we have come a long way from when any motivated person could find an exploit in a binary file decoder with a day or two of work.
What is frustrating is the NSO group continues to exist despite all the bad they do. How many people are they responsible for being on the receiving end of a bone saw?
At the risk of being boring: software liability would go a long way towards getting companies to do this work themselves. Even though Apple is the largest company on the planet an entity that has a small fraction of the budget is apparently able to do a better job. I don't see why Apple couldn't make those people an offer they can't refuse. That takes them off the market and has them doing something productive.
> Even though Apple is the largest company on the planet an entity that has a small fraction of the budget is apparently able to do a better job.
NSO Group is Israeli and (most likely) filled to the brim with former Unit 8200 staff. About the best of the best what the IDF has to offer - they've been said to match the NSA in quality.
> I don't see why Apple couldn't make those people an offer they can't refuse.
For all that can be guessed, they're a semi-private company, deeply connected with the Israeli government [1]. No one can pay these guys enough. If you want them to stop, you'll have to get the Israeli government to agree, and they won't give up any asset that gives them an edge over Iran or its numerous other enemies.
So stop shipping iPhones to Israel until they play ball. If they're that smart they can roll their own phones. These companies do immense damage and endanger lives the world over. Given enough time and budget there is nothing that can't be cracked and it's the very worst actors that have access to this stuff.
As much as I agree with you... I think it's most likely that the US NSA, UK's MI(whatever), Israel's Mossad and a bunch of other secret services all cooperate with each other. No way these guys get taken down, and no way that the sanctions that have been nominally announced actually get enforced at the murky, intransparent bottom layer of the secret services.
Someone has to crack open the phones of drug kingpins, terrorists etc. after all.
You are severely underestimating the power of an entity like Apple. HN regularly spouts opinions that if US companies don't like the GDPR they should just stop doing business with the EU. That's a massive block of consumers and I highly doubt any company that likes its bottom line is going to take that approach.
But we're talking about one company here that simply should stop selling their crap to the highest bidder. I'm at some level ok with the Israeli's doing what they do, they're no different than any other nation state. But to allow this sort of entity to operate from your soil in a commercial manner, including selling those exploits on the open market where they will inevitably be used against the home country as well seems 'optional' to me and there is a lot of Israelis that like their smartphones.
Why would an entity the size of Apple risk their reputation and everything they stand for to avoid a run-in with a relatively tiny company in a relatively small part of the world that is causing an enormous amount of problems?
So tourists (or people visiting for family or work) who own iPhones wouldn't be able to use them in Israel? You can probably see how that's a tough sell.
Yes, that's exactly it: you harbor this sort of company you will not be able to pretend it's business as usual on other fronts.
After the 500,000th Facebook post of tourists linking NSO to 'my holiday in Israel was spoiled and I won't be going back there' I'm pretty sure they'd get the message.
I'm ok with whitehat hackers but this shit has to stop. Mind you, I have an old Nokia so it's not as if I'm affected, the only thing I have to worry about is the baseband processor and my telco. But there are plenty of people who need a smartphone for their work and their opsec is pretty much as good as their phones' security.
That would be an extraordinary act of political activism which is never, ever going to happen. I'd argue it's not a corporation's place to take such an action in the first place. This is, if anything, a diplomatic matter and should be left to the state.
I mean what next, stop selling to the KSA because of their gay rights issues? Iran? Russia? Where does that end? Well, it won't even begin, and rightly so. This is a state matter and they should stay in their lane. They're doing all they can, and should.
BTW, I bet there's more than a few USA organisations who are quietly very annoyed about Apple's relentless bug-fixing. Organisations like NSO are tolerated for a reason.
> So stop shipping iPhones to Israel until they play ball.
For what purpose? They would still procure iPhones through gray channels and hack them because that's what their victims use. Should Apple also stop selling phones in every other country, because that's where many of NSO's exploits are actually used?
What other purpose? Annoy the local population? Create a grey/black market where you're even more likely to be given a "pre-hacked" unit?
Ha! Thats some nice fan fiction. Look at how Elon is torpedoing himself even further trying to take on ADL(lets be frank they clearly have ties to Israel). It took far right wing people + Elon bringing the issue up to even have a discussion on pushing back against ADL (and now ADL can just say thats just clearly anti-semetic people being anti-semetic) so the issue is already dead.
Apple being a public company with many institutional portfolios holding their stock would not survive these portfolios dumping their shares due to pressure if they announced this. This could even be enough to force remove Tim Cook from his role. Why would he take such a drastic position?
This rot is at all layers of the western world(UK, Canada, AUS, NZ, France at least). All the way from state governments passing laws saying you cannot boycott Israel or else you'll be barred from contracts(Anti-BDS laws) to congress removing members from their committees if they criticize Israel(eg. Illhan Omar) and signing loyalty pledges to Israel. When ANY new resistance appears against Israel, multiple groups in all of these countries move at light speed to enact a response.
The downsides of having these exploits is clearly acceptable to all the people that make the decisions. And it's not like a regular person can use these exploits against members of congress to make them feel the pain. They'll just 'Julian Assange' you.
What you are proposing requires massive reform at ALL level of government and across the western world as this is not only a US problem. Good luck with that.
This requires changing fundamental beliefs of the majority of people who vote in these governments. They have a special "bond" with Israel and they wont willingly let go of that. You'll be better off just reverse engineering the complete iOS binary and finding every possible exploit.
> It took far right wing people + Elon bringing the issue up to even have a discussion on pushing back against ADL (and now ADL can just say thats just clearly anti-semetic people being anti-semetic) so the issue is already dead.
The issue is dead because Elon's grievance is patently absurd. He's accusing the ADL of singlehandedly engineering a 60% drop in Twitter ad sales. It would be genuine comedy were it not for the fact he's handing a megaphone to the worst-of-the-worst groyper kindernazis.
Thats my point. Pushing back against the ADL is almost impossible and when it finally happens it is associated with these knuckleheads. Therefore it is easy to dismiss...but there are serious abuses done by the ADL (just look up their history) and they now get to skate free.
You seem to be implying the issue is the messenger and his dimwitted minions, when really it's the message itself. If these guys are as nefarious as you're implying, surely the richest man on the planet could dig up something that's not prima facie absurd?
Thanks for clarifying. I'm not familiar enough with this organization to either stake a position for or against, but one passing observation based on that wiki page :
> Right-wing groups and pundits, including right-wing Jewish groups, have criticized ADL as having moved too far to the left under Jonathan Greenblatt, labeling it a "Democratic Party auxiliary"
> In August 2020, a coalition of progressive organizations launched the "Drop the ADL" campaign, arguing that "the ADL is not an ally" in social justice work. The campaign consisted of an open letter and a website, which were shared on social media with the hashtag "#DropTheADL". Notable signatories included the Democratic Socialists of America, Movement for Black Lives, Jewish Voice for Peace, Center for Constitutional Rights, and Council on American–Islamic Relations.[179] The open letter stated that the ADL "has a history and ongoing pattern of attacking social justice movements led by communities of color, queer people, immigrants, Muslims, Arabs, and other marginalized groups, while aligning itself with police, right-wing leaders, and perpetrators of state violence.
Always interesting to see entities criticized for being both too far left and too far right.
To me, the ADL doesn't seem right or left within the US. The evident goal of their org today is to silence criticism of US-Israel relations and run PR for Israel in general, which makes sense given its founding org. That's its own thing, in fact it'd be counterproductive to do it in a partisan way.
I’m sure there are a lot of committed patriots there but I doubt it’s the whole company. Tim Cook could drop 1% of their cash on hand and see how many of them would turn down a million or two as a signing bonus, and if that didn’t work he could escalate to 10% or toss in some stock. I find it unlikely that wouldn’t tempt a lot of people, especially since the U.S. is one of Israel’s staunchest allies so it’d be pretty easy to tell yourself that pile of cash isn’t selling out.
The real reason they don’t do that is trust: how could you ever be confident that someone wasn’t passing information back to Unit 8200 or even helping them out?
I understood but am skeptical of that - they'd block sale of the entire company but I think it'd be a surprise if they prevented a bunch of Israeli nationals from accepting prestigious jobs with an American company.
Consider as well that designing (known obsolete at the time, with no practical threat to Israel) long range weaponry for a relatively benign enemy (Iraq was never Iran or Egypt) is likely far more forgivable than assisting a far more powerful foreign power with a history of at times cool relations with Israel with the current high priority useful intelligence tool which they are known to have a unusual world class edge in right now.
Gerald Bull was annoying. Someone good leaving any of the APT groups in Israel to help Apple get better security or anyone else would be borderline treason.
NSO seems more like a business. If Israel wanted to, they could pay NSO to keep their software internal/private, no?
The more devices that get exploited, the more exploits that get closed. That's how you lose your edge against your enemies.
Unless they're so confident in their stream of exploits that it's worth burning a few. Or these nation states are buying the devices to operate these exploits and operating them in their security labs...hrmmmmm...
It appears that the Israeli government operates the same way as the Russian government with respect to their private black/gray hat companies and groups: hacking other people is OK, just don't hack our nationals or our institutions, and we're cool. And if they hack companies or people seen as hostile, so much the better.
If Apple buys NSO Group and shuts it down, other firms are incentivized to enter the market especially because of the prospect of a nice payday if Apple buys the new firm, too.
Anyone buying them and shutting them down won't even temporarily make the problem better, as NSO has competitors who would immediately hire the best people.
That's true, but I'm not entirely sure why this would be relevant to include in my comment? It's just pointing out that other vendors exist in this space other than NSO Group. I don't even see the hypocrisy if I had posted that while working at one of the places I mentioned? How would you rephrase it?
(It seems like you know me, are you someone I've met before?)
Yes they can? It's totally possible for a small, well connected, group to be writing small pieces of custom code in very critical applications, like core reactor controls system for navy submarines.
...implying the scrutiny Boeing is held to does anything beneficial.
The regulatory capture resulted in a pathological operating module that put over 346 in an early grave because they couldn't be arsed to not cut corners; then on top of ot all, there's no substantive finding of liability or wrongdoing.
Laws that are ultimately unenforced due to 2B2F might as well not exist at all.
I don't want to defend Boeing's management but even with the worst failure in, what, half a century? it's still much safer to fly than drive so I wouldn't be so quick to throw aviation security culture under the bus.
I think you should really think about what you're saying. Would you cut makers of physical artifacts the same slack, say a small prepared food producer who just can't afford to vet their supply chain or final product to make sure it's not contaminated?
This has already played out. Most consumer software specifies that it cannot be used in medical devices, or for nuclear energy production. So some version of this already exists. But should this apply to video games? Horoscope websites? Random number generators? I'm just pointing out that it isn't a universal argument.
I don’t understand your comment. Are you saying that involving trial lawyers and US juries to collect big settlements from Apple is going to stop the NSO Group? Or is it that the NSO Group should be liable for the actions of their clients?
I don't understand your comment either. You say you don't understand and then you give a choice between two narrow interpretations neither of which seems to cover what I wrote.
To make this a bit more productive:
If Apple were liable for their defective products then they might decide not to ship them at all until they can be sure enough that the risk of the lawsuits putting them out of business is small enough that they can absorb it.
This worked wonders for other industries (notably: automotive, airlines, medicine). It may slow them down a bit, you may have a wait a bit longer for the next iteration of some gadget. But that's a small price to pay in my opinion.
As for the NSO group: I'm suggesting that Apple use their well filled cash coffers to buy these guys out, and failing that that they use some of that money to sue them for all of the damages that Apple incurs as a result of their actions as well as any criminal charges that they might get to stick. See 'Skylarov'.
It wouldn't be the first time that a US judge finds fault with a foreign company. At a minimum it would slow them and their employees down to the point that they will be in a US jail the next time they visit Disneyland. If it works against illegal gambling operations I see no reason why that sort of mechanism can't be brought to bear against state sponsored hacking groups and their employees.
> If Apple were liable for their defective products then they might decide not to ship them at all until they can be sure enough that the risk of the lawsuits putting them out of business is small enough that they can absorb it.
I think this works best at that level, like if there’s a sliding scale based on your company’s importance to normal people’s security. I think a lot of developers are worried that their two person consulting team is suddenly liable for bugs but it’s totally reasonable to say that Tim Cook should shake the spare change out of his office couch, call Graydon Hoare into his office and say “here’s a billion dollars, who should we hire so I never hear the phrase ‘buffer overflow’ again?”
> If Apple were liable for their defective products then they might decide not to ship them at all until they can be sure enough that the risk of the lawsuits putting them out of business is small enough that they can absorb it.
> This worked wonders for other industries (notably: automotive, airlines, medicine). It may slow them down a bit, you may have a wait a bit longer for the next iteration of some gadget. But that's a small price to pay in my opinion.
That's quite a big price for non life-critical equipment that is a billion times more complex than a pacemaker or the safety-critical parts of an airplane or car.
A billion times more complex than the safety-critical parts of an airplane? I think you lack perspective on avionics packages and the safety measures that are undertaken in that industry. Additionally, I think you're vastly over estimating how complex a smartphone is.
A billion might be hyperoble (although i dont think its a totally unreasonable guess either), but phone software is many GB large, i could easily believe that there are a million more MC/DC points in phone software, than in the safety critical part of airplane software.
Pacemakers are one of literally millions of regulated medical devices. If my CPAP fails one night, I don't die, but it's still regulated to ensure it's not gonna fail. You want this to be pacemakers vs Tetris but it's not. It's hearing aids and contact lenses and insulin pumps and wheelchairs and nebulizers and all kinds of devices that will not get you killed if they fail AND YET they are highly regulated and rightly so.
I mean, i assumed from context it was meant regulated in the way life-critical devices are regulated, since the mentioned industries like airlines that have elements that must apply with the regulations life-critical software has to be (e.g. full mc/dc test coverage and what not).
If the goal posts are being moved to regulated in any form, phones already meet this criteria as there exists regulations they are subject to.
So what regulation precisely did you have in mind and would it prevent the issue being discussed?
Maybe that’s true, it probably is, but they should still be sanctioned into oblivion considering they consistently are in the headlines on the wrong end of this being used for deeply questionable purposes.
The US enjoys some fruits of their labor and they're conveniently distanced from any explicitly funded operations to avoid blow back when exploits are publicized. They won't enforce sanctions or, more practically, withhold the massive defense subsidies they give to Israel.
>... as greed leads them into bed with the wrong people.
I'd hope they're at least targeting their own customers as part of state-sanctioned operations. Still, that doesn't justify the dissidents they indirectly facilitate being thrown under the bus. Or on the receiving end of a bone saw, as another commenter put it.
Allowing a US+Israel-approved* company to do this makes higher revenues possible, meaning they can attract higher talent => more hacks. Which would be fine if we prevented them from selling to unwanted customers. With weapons, we control who gets them, regardless of money.
* I was going to say "sanctioned," but that word can mean two entirely opposite things, it's dumb
True, but there’s a real question about how effective they’d be. NSO has the veneer of legitimacy which means they can hire top notch talent by pretending their products are just law enforcement tools – fewer people would be comfortable working for a Russian mercenary group or able to tell their friends and family their work for a Chinese government vendor wasn’t helping oppression. That doesn't mean that everyone in the world is comfortable working for them but think about how it is for Palantir where a significant percentage of top tech talent don't seek employment there due to ethical concerns - NSO has similar problems but they'd be an order of magnitude worse if they weren't in a close ally country.
I wrote a patch to fix it that one of the jailbreaks used. I wasn't in the scene, but wanted to protect my ipod touch. So I figured out a patch and gave it to somebody named "pumpkin" on IRC. It's been a long time, but I remember it was fun to learn ARM assembly and figure out how to rewrite the code to get enough space to insert a test and return.
Your phone would reboot with a pineapple logo and console messages flying across the screen like a 1337 h4cker, starting with the "regents of the University of California, Berkeley" message. Then you'd go install a ton of Cydia hacks.
Which actually makes me more sympathetic to Chrome not (yet) adopting JPEG-XL.
Don't get me wrong, I think JPEG-XL is a great idea, but to everyone saying "how can supporting another image format possibly do any harm", this is the answer.
Why not implement all image codecs in a safer language instead?
That would seem to tackle the problem at its root rather than relying on an implementation's age as a proxy for safety, given that that clearly isn't a good measure.
RLBox is another interesting option that lets you sandbox C/C++ code.
I think the main reason is that security is one of those things that people don't care about until it is too late to change. They get to the point of having a fast PDF library in C++ that has all the features. Then they realise that they should have written it in a safer language but by that point it means a complete rewrite.
The same reason not enough people use Bazel. By the time most people realise they need it, you've already implemented a huge build system using Make or whatever.
Firefox led a hand in making Rust, so I imagine if there is a browser that can make a more secure browsing experience, it would be Firefox, by making media decoders in Rust.
Almost all people don't want to or aren't capable of implementing image codecs, the safer languages aren't fast enough to do it in, and the people who are capable of it don't want to learn them.
Of course as the blog post says, just because memory safety bugs are overcome doesn't mean vulnerabilities have stopped; people find other kinds of vulnerability now.
Definitely, but GP was specifically using this as an argument for Google not supporting a codec in Chrome. If anybody can spare the effort to do it safely, it’s them.
I don't buy that being able to manually copy data into a memory buffer is critical for performance when implementing image codecs. Nor do I accept that, even if we do want to manually copy data into memory, a bounds check at runtime would degrade performance to a noticeable extent.
"Manually copy data into a memory buffer" is pretty vague… try "writing a DSP function that does qpel motion compensation without having to calculate and bounds check each source memory access from the start of the image because you're on x86-32 and you only have like six GPRs".
Though that one's for video; images are simpler but you also have to deploy the code to a lot more platforms.
I don't dispute that these optimizations may have been necessary on older hardware, but I think the current generation of Apple CPUs should have plenty of power to not need these micro optimizations (and the hardware video decoder would take care of this anyway).
> Why would an iPhone be running x86-specific code?
The same codebase has to support that (since there's Intel Macs and Intel iOS Simulator), and in this case Apple didn't write the decoder (it's Google's libwebp). I was thinking of an example from ffmpeg in that case.
> and the hardware video decoder would take care of this anyway
…actually, considering that a hardware decoder has to do all the same memory accesses and is written in a combination of C and Verilog, I'm not at all sure it's more secure.
I'd guess it's a combination of labor required to rewrite them and that you'd more or less have to use a safe systems language in order to not have a performance regression
Often it's infeasible to justify rewriting a lot of existing code, but my point is that these days this concern shouldn't really be an obstacle to integrating a new codec.
It should certainly lower the bar of adopting a new codec if the implementation is in a memory-safe language.
Even so, it is more code, and somewhat more risk. Lack of safety elsewhere might end up using code that is otherwise safe in order to build an exploit (by sending it something invalid that breaks an invariant, or building gadgets out of it, etc.).
Adding something in rust into a browser means you now need to bundle all of the needed crates and that your browser now also needs rustc to build… at a minimum.
You also need potentially to audit all the crates and keep them up to date and so on… without crates you can't do so much.
I can see that for components heavily interfacing with high surface area things like encryption, hardware interfacing etc., but why would that be true for a relatively “pure” computational problem like an image codec? Bytes in, bytes out.
Again buffer overflow in image decoding. Would think apple might just #threatmodel and #fuzz that to death... but you would be wrong. 2.7T market cap company can't do this...
They do, but some of these bugs are beyond what fuzzing can do. We don’t know that this is a buffer overflow or how complex the exploit chain was - the one linked above was anything but something you’d get by fuzzing.
I agree it is disappointing that this stuff isn’t all Rust or Swift yet but that’s in process. Of particular interest, did you notice how the new Lockdown mode is apparently a countermeasure? I would not be surprised to see some of those motivations expand into the base OS as they have time to improve.
Can't you trigger this by fuzzing? Sure, the JBIG VM won't be, but some random fuzzing should easily trigger out of bounds reads or writes.
Lockdown mode alters the iMessage user flow to such an extent that I don't see Apple enabling it by default. I don't think Lockdown prevents the RCE exploit, but I do think it simply blocks iMessage interactions from unknown numbers, so that the exploit can't even load.
The older one? Probably but I think the way it combined multiple overflows would have required a fairly advanced fuzzer, especially to look exploitable. The main point I had was that while fuzzing would have found interesting ways to crash ImageIO with PDFs, most people wouldn’t have expected that to be reachable without a click from iMessage. The relevant teams could have been rewriting everything they care about in Rust and this still would have happened because it was an obsolete usage of a format they don’t even use but which could be pulled in by the old GIF preview path.
I agree that most Lockdown mode features won’t be pulled in but looking at that list, note how many stop a NSO zero-click by adding a “have you ever interacted with this person?” filter to iMessage, FaceTime, HomeKit, etc. That makes me wonder whether a more polished UI might be acceptable to normal users where new numbers are basically text-only with warnings.
While not discounting the need to increase investment in this area, I will mention that there are very few things that can be solved by #buzzwords and #hashtags.
Apple has a long history of investing in all kinds of mitigations and security devices that make the App Store model secure and an equally long history of procrastinating on what is again and again and again causing their customers to be exploited.
A while ago I was surprised to learn that MS Internet Explorer had team of about 10 developers (I expected more) when MS already had more than 50000 employees total. Now knowing a bit more how sausages are made I would not be surprised to learn that this particular image decoder was maintained in Apple by a couple developers. To some extent this can be seen in corporations too: https://xkcd.com/2347/
If that. This weekend I ran into a TIFF decoding issue (Canon scanner produces TIFFs with embedded JPEG compression with different parameters than the outer TIFF container). This is an issue with libtiff and affects any Mac or iOS app using CoreGraphics, anything using ImagMagick, etc. GIMP, Nikon NX Viewer, and others with their own TIFF implementations are unaffected.
I doubt anyone at Apple cares. If a CVE is filed for libtiff, they’ll rebase, but I doubt they are actively fuzzing it or even have regression tests for it.
Coverage-guided fuzzing is extremely powerful and has proven to be very effective at finding oodles of vulns. But it is not perfect. You'll fail to drive the code to a bug or run into limitations of the sanitizers to actually detect a vuln.
You can stand up fuzz targets at all of the relevant endpoints and throw tons of compute at it and still fail to find lots of things. The problem is unsafe languages. Apple is taking steps to get things moved to swift, but it is slow going.
There was no fuzzing for this exploit lmao they developed a rudimentary assembly language inside the hacked pdf encoder by meticulously choosing the exact 70,000 pixel maps that overwrote the write pointers. And that's after they got the overflow exploit giving them control of the encoder/emulator.
Sure, but “internal bounties have fundamental problems of incentives at any scale” is a different problem than “Apple can't afford internal bounties on an adequate scale to compete with nation-state attackers”.
Unit 8200 is single largest Israeli military unit, their entire tech industry is filled with 82xx, 81xx and 99xx alumni.
This is what happens when you have universal conscription and the intelligence corps get their pick of the brightest conscripts.
It still doesn’t make them a state actor anymore than the dozen or so European malware vendors and the probably far more numerous US ones and that is before looking into the defense sector proper.
> NSO Group is a subsidiary of the Q Cyber Technologies group of companies.[7] Q Cyber Technologies is the name the NSO Group uses in Israel, but the company goes by OSY Technologies in Luxembourg, and in North America, a subsidiary formerly known as Westbridge. It has operated through various other companies around the world.[18]
Because sandboxing on iOS is terrible. Not that any of the other commercial vendors are any better.
If they could provide good sandboxes do you think the highest security certifications advertised on their website [1][2] would only certify protection against attackers with “basic attack potential”, the lowest possible level. Three whole levels below “moderate attack potential”. I mean, seriously, they certify their security sucks on their website, is it any wonder their security sucks.
No. From a security perspective a Common Criteria certification to the lowest possible level does not establish meaningful security. That is kind of the point.
The companies that develop easily hacked systems that are repeatedly hacked hundreds of times a year like Apple, Microsoft, Cisco, Amazon, Google, etc. can only achieve certification levels indicating they are easily hacked. They have never once succeeded at certifying meaningful security. The certification is pinpoint accurate, just the trillion dollar commercial IT companies do not like the results.
I agree it is largely not a useful differentiator, but that is because all of the commercial IT vendors are certified incompetent. The Common Criteria will not help you determine which fish in the barrel is hardest to shoot. Its job is to distinguish serious security by professionals.
It takes a while. At Google at least, new systems in android are required to be built in rust and there are major efforts to rewrite significant systems. But it takes time and rewrites are dangerous in other ways. And you need all the tooling to handle everything else an engineer does beyond simply writing code.
From where I sit, it also feels like the industry has really only coalesced around "the only real solution is safer languages" in the last 2-3 years. "Rewrite it in swift/rust" was way more controversial in 2019. So hopefully we'll see significant progress in the next several years.
How long do you think it is reasonable to go from "we are now in agreement that rewriting stuff is the right call" to "all media processing code is written in a memory safe language"?
1) Because that takes work
2) Because that makes things a bit slower, so it’s a stand-off between Apple and Google because neither of them wants to be the “laggy” phone
Image decoding can be ported to rust, however most video/image decoding software is rarely ported (performance reasons and what not) - and used as a library instead.
Java would have similar issues as well. It'd be using a compiled C code as an external library in cases like these.
[1]: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...