You may have heard of Apple. No company is worth more; their market capitalization sometimes reaches USD3tn. You may have also heard of NSO Group, an Israeli business that sells phone spyware on the pretext it must only be used for good reasons and should never be used for bad reasons. Despite this, there have been many occasions when their Pegasus software has been used to abuse the rights of politicians, journalists and activists. Last year NSO Group announced the need to cut 100 staff because of the high costs involved in selling the privacy equivalent of a nuclear bomb. If Apple and NSO Group engaged in a brawl, it would be obvious which one is David and which is Goliath. And yet, Apple was once again forced to scramble to patch the iPhone operating system after the discovery of another zero-click zero-day exploit that NSO Group was using to install spyware.
According to Citizen Lab, the Canadian interdisciplinary team that first publicized the widespread abuse of NSO Group spyware, new tricks for secretly installing Pegasus were identified this month:
…while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.
Citizen Lab called the exploit ‘BLASTPASS’. It takes advantage of the way iPhones process images sent via their proprietary iMessage system. Apple issued two Common Vulnerabilities and Exposures (CVEs) in response. Even users of the latest iOS version, 16.6, are at risk. All devices running iOS and iPadOS should be updated.
I could provide further analysis, but why bother? The security profession, and the IT sector in general, is stuck in a loop of never seeing the forest because it is more convenient to examine trees in detail. Even if networked products are made by companies that have the resources available to Apple, and even if those companies care as much about privacy as Apple seems to care, we should expect the products will be subverted by organizations with relatively modest means. Security by design is a pleasing mantra, not a credible goal. When governments threaten to undermine security in order to pursue the same law enforcement objectives that are also used to justify the existence of NSO Group then security experts form ugly online mobs that metaphorically seek to punish blaspheming politicians by impaling them on digital pitchforks. But all the security experts in the world can collectively offer no better defense than chasing down each new vulnerability some time after crooks and spooks have used them.
The world does not have to be this way. Ironically, organized crime has repeatedly demonstrated how communications could be safer. Nobody is more motivated to preserve their privacy than criminals who need to trade with each other. They keep setting up networks, adapting hardware and rewriting software with the goal of not being spied upon. When they do it, they keep the system simple so there are fewer parts that can go wrong. And they still fail, because they are fighting governments that have far more freedom in how they deploy resources than any private sector corporation has. But their choices demonstrate why it may not be worth making compromises just so somebody can send an image, or start their car’s engine whilst standing on the opposite side of the street, or switch off light bulbs using an app instead of flicking a physical switch with a finger. Security by design is a good principle, but so is the principle that simpler technology is safer technology. The less a system can do, the less it can be undermined.
When it comes to safety, less is more. But corporations and consumers keep wanting more in practice, even if they say that safety is their top priority. That is why privacy hackers will keep taking advantage of human weakness, even if the brightest and the best organizations try to oppose them.