![](\"https:\/\/images.idgesg.net\/images\/article\/2018\/02\/linux_security_vs_macos_and_windows_locks_data_thinkstock-100748607-large.3x2.jpg?auto=webp&quality=85,70\"\/)
<\/p>\n<\/p>\n
Credit to Author: Jonny Evans| Date: Fri, 24 Jun 2022 09:40:00 -0700<\/strong><\/p>\n Here we go again: another example of government surveillance involving smartphones<\/a> from Apple and Google has emerged, and it shows how sophisticated government-backed attacks can become and why there’s justification for keeping mobile platforms utterly locked down.<\/p>\n I don\u2019t intend to focus too much on the news, but in brief it is as follows:<\/p>\n The attack works like this: The target is sent a unique link that aims to trick them into downloading and installing a malicious app. In some cases, the spooks worked with an ISP to disable data connectivity to trick targets into downloading the app to recover that connection.<\/p>\n The zero-day exploits used in these attacks have been fixed by Apple. It had\u00a0previously warned that bad actors have been abusing its systems that let businesses distribute apps in-house<\/a>. The revelations tie in with recent news from Lookout Labs of enterprise-grade Android spyware called Hermit.<\/p>\n The problem here is that surveillance technologies such as these have been commercialized. It means capabilities that historically have only been available to governments are also being used by private contractors. And that represents a risk, as highly confidential tools may be revealed, exploited, reverse-engineered and abused.<\/p>\n As\u00a0Google said<\/a>:\u00a0\u201cOur findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. This makes the Internet less safe and threatens the trust on which users depend.\u201d<\/p>\n Not only this, but these private surveillance companies are enabling dangerous hacking tools to proliferate, while giving these high-tech snooping facilities available to governments \u2014 some of which seem to enjoy spying on dissidents, journalists, political opponents, and human rights workers.\u00a0<\/p>\n An even bigger danger is that Google is already tracking at least 30 spyware makers, which suggests the commercial surveillance-as-a-service industry is strong.\u00a0It also means that it’s now theoretically possible for even the least credible government to access tools for such purposes \u2014 and given so many of the identified threats make use of exploits identified by cybercriminals, it seems logical to think this is another income stream that encourages malicious research.<\/p>\n The problem: these close-seeming links between purveyors of privatized surveillance and cybercrime won\u2019t always work in one direction.\u00a0Those exploits \u2014 at least some of which appear to be sufficiently difficult to discover that only governments would have the resources to be able to do so \u2014 will eventually leak.<\/p>\n And while Apple, Google, and everyone else remain committed to a cat-and-mouse game to prevent such criminality, closing exploits where they can, the risk is that any government-mandated back door or device security flaw will eventually slip into the commercial markets, from which it will reach the criminal ones.<\/p>\n Europe\u2019s Data Protection regulator warned: \u201cRevelations made about the Pegasus spyware raised very serious questions about the possible impact of modern spyware tools on fundamental rights, and particularly on the rights to privacy and data protection.\u201d<\/p>\n That\u2019s not to say there aren\u2019t legitimate reasons for security research.\u00a0Flaws exist in any system, and we need people to be motivated to identify them; security updates wouldn\u2019t exist at all without the efforts of security researchers of various kinds. Apple pays up to six-figures<\/a> to researchers who identify vulnerabilities in its systems.<\/p>\n The EU\u2019s data protection supervisor called for a ban on the use of NSO Group\u2019s infamous Pegasus software<\/a> earlier this year. In fact, the call went further, outright seeking a \u201cban on the development and deployment of spyware with the capability of Pegasus.”<\/p>\n NSO Group is now apparently\u00a0up for sale<\/a>.<\/p>\n The EU also said<\/a> that in the event such exploits were used in exceptional situations, such use should require companies such as NSO<\/a> are made subject themselves to regulatory oversight.\u00a0As part of that, they must respect EU law, judicial review, criminal procedural rights and agree to no import of illegal intelligence, no political abuse of national security and to support civil society.<\/p>\n In other words, these companies need bringing into line.<\/p>\n Following revelations about NSO Group last year, Apple\u00a0published the following best practice recommendations<\/a> to help mitigate against such risks.<\/p>\n Please follow me on\u00a0Twitter<\/a>, or join me in the\u00a0AppleHolic\u2019s bar & grill<\/a>\u00a0and\u00a0Apple Discussions<\/a>\u00a0groups on MeWe.<\/em><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Jonny Evans| Date: Fri, 24 Jun 2022 09:40:00 -0700<\/strong><\/p>\n<\/p>\n