There is a take that companies like Apple are never going to be able to stop well-resourced attackers like NSO from launching targeted attacks. At the extremes this take is probably correct. But adopting cynicism as strategy is a bad approach. 1/
https://twitter.com/dogemocenigo/status/1417083674395283457
First, look at how Pegasus and other targeted exploits get onto your phone. Most approaches require some user interaction: a compromised website or a phishing link that users have to click.
iMessage, on the other hand, is an avenue for 0-click targeted infection. 2/
iMessage, on the other hand, is an avenue for 0-click targeted infection. 2/
While we can’t have “perfect security”, closing down avenues for interactionless targeted infection sure seems like a thing we can make some progress on. 3/
And in fact we’ve seen Apple make some progress on this in the past. Starting recently, Apple added a “firewall” called Blastdoor to iMessage. This is supposed to prevent attacks like Pegasus. Obviously it doesn’t work, but it at least ups the cost of these exploits. 4/
The reason Apple added a firewall is because they obviously *don’t* feel that iMessage is secure by itself. There’s too much unsafe parsing code. Adding a firewall is basically an admission that the core product can’t be secured in its current form. 5/
So it seems fairly obvious that ripping out memory-unsafe parsing code and disabling advanced (non plain-text) features — while not guaranteed to solve the problem — is still an open problem, something that Apple can devote its enormous resources to. 6/
Another area that Apple has already stepped up their game is in logging. Apple power monitoring telemetry records information about weird process “hang” events, which can sometimes trip up exploits. There’s a privacy tradeoff here, but Apple should lean into this. 7/
Even small improvements can make these exploit attempts risky — even just a little risky — by improving the chance that a whole exploit chain gets uncovered and patched. That risk can be the difference between 10,000 targets and 100. 8/
Apple has also been doing tons of stuff on the silicon/firmware side, like adding PAC and (soon) MTE. It looks like people have found their way around PAC (or just avoided it) but MTE may have more impact. developer.arm.com/-/media/Arm%20…
Of course none of these things help unless Apple turns them on (in all relevant code). Doing this has loads of costs: it can break stuff. You want Apple to have a fire under their ass to put in the effort and take those risks. “There’s no perfect security” is anathema to that.
Also: I think people need to appreciate the *difference* between “100 high value targets” and “10,000 targets, including random journalists”. There is a big difference from society’s point of view… 11/
Right now a couple of non-US journalists I talk to have told me all their sources are clamming up. They’re afraid that reporters’ phones are tapped with Pegasus. I’m sure the scum who launched these attacks are thrilled with this. 12/
While we may never stop targeted attacks, making them expensive enough *to prevent them from being credibly mass-deployed against journalists* is a huge benefit to society. It represents a qualitative improvement. 13/
Anyway I don’t have the answer to any of this. I don’t do software exploits, I just hang around people who do. But it’s obvious that we can do better — and doing so will boost exploit costs and risk in beneficial ways. The way to get companies to do better is public pressure. //
• • •
Missing some Tweet in this thread? You can try to
force a refresh
