How was Bezos iPhone vulnerable to malware? If it wasn’t jailbroken, the security model of the iPhone should make this impossible, right?
This part is particularly disturbing if true:
Cybersecurity experts said some malware did not require anyone to click on the file for it to install on a phone.
https://www.nytimes.com/2020/01/22/technology/jeff-bezos-hack-iphone.html
I just updated, did it help?
I fixed it for you, something was hinky there but it’s all working now 
All soooo scary. But can’t find any technical details/evidence in this article, or in any other article I’ve run across. Also “Cybersecurity experts” are not identified who they are or exactly what they said.
Actually there’s some uncertainty about what exactly got compromised.
Reading the article, it was his whatsapp app that was impacted, not his iPhone.
You can hack any app in its sandbox if you have the right vulnerability and exploit it, that has nothing to do with iOS itself.
I would be more concerned about US congress mandating backdoors in iOS than a hacker attacking a single app.
So maybe the photos and “text messages” that were stolen where all in WhatsApp. Most articles make it sound like the system messages and photo apps were compromised.
Hidden in that file was a separate bit of code that most likely implanted malware that gave attackers access to Mr. Bezos’ entire phone, including his photos and private communications.
“Entire phone” makes it sound like more than WhatsApp was compromised, but still not enough detail to say what actually was compromised.
You’re almost never protected against zero-day exploits used by nation-states. It’s been this way since forever.
I mostly agree with you, except that once these kinds of vulnerabilities are used to exploit high value targets, they tend to become known and then they become concerns for the rest of us. There are numerous publicly known zero interaction exploits for older versions of iOS (and every other operating system under the sun).
I think that the takeaway here for everyday people is to not worry too much about zero-day vulnerabilities (they’re treated as highly valuable and not to be trivially used assets by those who have them), but to also make sure to run the most up to date version of your OS that’s available.
Keeping up to date with iOS is a pain though, because Apple insists on bundling security updates (very nearly) only with feature updates, which makes installing the latest something of a gamble. I really wish they would do with iOS as they do with macOS and release security patches for the previous major version. (I think with macOS they do it for two versions back, but I’m not going to be greedy and ask for that). Having said that, Apple is way, way better than pretty much every mobile device vendor out there at delivering security updates.
I’m not a security expert, but I am a software developer and I’ve read about the iOS security model and it is supposed to be designed specifically to stop malfunctioning apps from compromising the rest of the system. Is that not true?
Implementation flaws trump good design any day of the week
Exactly. If a major government, or a small one with a lot of money, wants to pop a shell or root your phone, they will probably be able to do it. Nothing is unhackable.
In this case it’s an issue of a sophisticated 14-byte(!) WhatsApp (hi Facebook!) exploit that apparently allowed it to connect to a server within chat (remember, WhatsApp is E2E encrypted, so Apple’s isn’t much involved here) to download the payload of spying tools which might have escaped the iOS sandbox, resulting in months of exfiltration of data. But escaping the iOS sandbox might not even be necessary, as compromising WhatsApp itself would give access to mic, camera, photos, videos, etc.
From what I’ve read it might have fingerprints of Pegasus malware, created by Israel’s NSO Group. That malware has been around for years, and in 2016 used multiple unpatched iOS 9 vulnerabilities to successfully deliver Pegasus on iPhones.
More on Pegasus:
Given enough time and resources anything can be hacked. Question is how valuable is the target…
This got me wondering. Say it was a bug/exploit in WhatsApp and you’ve given WhatsApp permissions to your photos, contacts, reminders, Files,…, does that mean the hackers have access to all that?
That would feel close to the entire phone, with the sandboxing doing its job of letting you easily remove the permissions or so, and keeping passwords etc safe.
Let me know if I got that wrong please.
I think you’re spot on. It probably was the permissions given to the app that provided access. (but we can’t be sure)
The FTI report states, “more than 6GB of egress data was observed using exfiltration vectors such as nsurlsession, Mobile Safari, and Apple’s email client following the initial spike on May 2, 2018.”
Therefore it seems that the WhatsApp sandbox was pierced via at least one zero-day exploit.
There have been exploitable bugs in core iOS components used by iOS apps that could be used to gain full access to the device and escape any sandbox. Some of them are in media processing libraries, so all that is needed for exploitation is to view a photo or video (both of which could be sent as email, iMessages, or viewed on a web page) and no interaction after that.
That sounds like scary stuff, but as has been pointed out above, the chances of any of us falling victim to the first use of that kind of bug are extremely low due to their high value and rarity. Once they’re discovered though, the chances increase.
(I say iOS because that’s what we’re discussing, but every OS has these issues.)
The thing to remember though is that the the journalists who write thses types of articles are almost never the publications tech writers, and so you have take with a massive pinch of salt phrases like “entire phone hacked” as the journalist likely doesn’t have the specialist knowledge to know any better.
The NSO Group Pegasus exploit had a zero day in mobile safari (buffer overflow if I remember correctly) that was able to jailbreak an iPhone, from there they (Pegasus) had hacked ipa files for WhatsApp, Facebook etc… Apple released an out of band patch for the Pegasus safari hack back in 2016. If that is the case here, NSO may have had another zero day to jailbreak Bezos iPhone and capture the data that way.
And more recently (last May):
I remember before the iPhone having arguments with Windows users where I would claim the Mac had better security because it was based on Unix and had a better security model than Windows. My Windows friends would counter that Windows had more security exploits because it had 90+% market share so it was more valuable to figure out the security holes there. Now that iOS is one of the dominate Phone OSs, it seems like my Windows friends had a point. All software can be exploited and part of it is the bigger the market share, the bigger the target and the more hackers will pound on it.