[DarkByte8]

Why is the FBI paying to get Pegasus? Doesn't the US have NSA to do this kind of hacks or find no click zero days in Android/iPhone and share the zero days with the FBI? Or why hasn't someone try to trick NSO to hack a monitored phone and find out the zero day? I am having these questions because every time I hear about NSO there is this question in my head "What is so special about NSO?". I see 2017, 2018, etc. how can someone have zero days for years and no one copy the zero day or fix the zero day? Why I don't hear about NSO competition? Does it have competition?

[Veserv]

The NSA does have an organization devoted to developing these sorts of attacks that make the NSO group look like a bunch of kindergarteners as evidenced by the Snowden leaks. The CIA also, independently of the NSA, has an organization that develops these sorts of attacks that make the NSO group also look like a bunch of kindergarteners as evidenced by the Vault 7 leaks. Almost without a doubt, the FBI, DHS, US Navy, US Army, and US Air Force all also have their own independent organizations that each make the NSO group looks like a bunch of kindergarteners given that developing a capability that makes NSO look like kindergarteners only costs on the order of ~$100M (i.e. less than a single jet fighter). There is absolutely nothing special about the NSO other than that they got caught and brought under the limelight.

The most likely reasons the FBI paid for access to Pegasus are: 1. It is another tool that frankly does not cost very much if you are the FBI. 2. The part of the FBI that bought it likely does not have authorization or possibly even knowledge of the other tools and contracted with NSO to gain those capabilities at the cost of just some money. This is like how a developer team in large stodgy old mega corporation might not be able to get IT to setup their servers so they just get a budget that they spend on AWS to do an end-run around their own IT organization.

The zero days are likely occasionally being discovered and fixed, but buying a zero-click zero day for Android/iPhone on the black market only costs on the order of $1-2M at retail. If you have your own competent team you can reasonably expect to find a zero-click zero day with only a few person-months of effort which, even at US wages, is only a few 100k per zero day. At those prices, you could keep a dozen or so stockpiled for less than the cost of starting a McDonalds franchise, so they likely did maintain a dozen or so at any one time, so if one was discovered they could just switch over to a different one and write off the old one as a cost of doing business.

They absolutely do have competition. One high profile example is Hacking Team. In terms of overall competition, I do not have any hard information, but given the size of the vulnerability markets there are probably at least a couple dozen to a few hundred organizations similar in scope to the NSO group. We do not hear about them because they mostly sell to governments.

[rotrot]

As someone who has worked Vulnerability Research/Exploit Dev for US based companies I'd consider this a bit misguided and is likely coming from someone not in the Vulnerability Research/Exploit Dev industry. I'm guessing you're getting these numbers from just reading Zerodium:

""" The zero days are likely occasionally being discovered and fixed, but buying a zero-click zero day for Android/iPhone on the black market only costs on the order of $1-2M at retail """

In reality the final packaged product is worth exponentially more.

Also, Israel produces some of the best security research talent on the planet due to their national focus on cybersecurity, and funneling some of the most talented students in the country directly to 8200 starting in high school, and some of them end up going to NSO group after. None of the vulnerabilities/exploits in the Vault 7 leaks come close to the sophistication of the FORCEDENTRY exploit. I'm not saying the US doesn't have better capabilities and the NSA most certainly does because they have suppliers like Azimuth, but a lot of what you've stated is based in fantasy.

[drzaiusapelord]

These are great points.

I dont see why the FBI wouldn't buy Pegasus. Does the above poster think the FBI can just call the NSA and tell it to decrypt a bunch of stuff? The NSA has its own mission and its based on national security interests, not solving the everyday crime the FBI works on. The government isn't just one big club. I'm guessing its likely the NSA isn't going to offer up its best tools to catch someone providing abortion access in Texas or "stealing" academic papers from JSTOR or "pirating" comic book movies. Not only is it a waste of their resources but every time a tool like this is used, the detection of that tool is possible, and with that detection Apple or whomever would figure out what the exploit is doing and patch against it. Now that tool is wasted because some FBI boss wanted a promotion thinking if he impersonated an Associated Press journalist to hack a teenager again like they did in 2007 it would impress some authoritarian higher up.

They can't waste these precious exploits on some culture war, IP enforcement thuggery, leftist organizers, unions, and mid-range drug dealers the FBI regularly beats up, murders (think Filiberto Ojeda Rios), harasses, and spies on. Even the NSA is low-key ACAB. So they just say no and tell the FBI to just let NSO potentially burn their exploits. The NSA and military intelligence has better things to spend it on (think Stuxnet-like scenarios).

tldr; the FBI operates on a level far below these other organizations and are far less important than any of them in the grand scheme of things. They're just well funded cops with all the problems cops bring. They're not getting NSA tools because they don't need them the same way your county sheriff doesn't need MRAPs to drive around in.

[Veserv]

The sophistication of individual exploits is largely uninteresting, a bullet and a cruise missile both go through a piece of cardboard. Even quantity per target is largely uninteresting past the first couple in much the same way that having 23 snipers trained on a person is not so different than 8. It is the breadth of attacks in the Vault 7 leak that make the NSO group look like nothing. Maybe the NSO group could redirect their ~$250M/yr revenue and equalize in breadth with the CIA, but currently, from a strategic perspective, the CIA's programs are far more terrifying from a "what can they do" perspective. And, with high probability, there are at least a half dozen equivalent programs running in parallel just in the US government. That is how absurdly easy this all is, they do not even need to band together, each and every one can individually exploit a significant fraction of devices.

You are correct, I do not work in exploit development. My numbers are based on quotes vulnerability brokers have given for their inventory of zero-click iOS vulnerabilities (and other OS and application vulnerabilities) to some of my coworkers over the years. I have heard they have increased in price recently, though due to increased demand rather than increased difficulty of discovery, but I doubt the price of a raw exploit has breached the $10M mark yet. I have no knowledge as to the pricing on a final packaged consumer-friendly UI product.

[rotrot]

.

[Veserv]

Okay. Since you say I am underestimating according to your experience can you supply a, in your opinion, 68% confidence interval estimate for the cost or effort required to purchase or develop a zero click iOS exploit (i.e. give a general range for the median case).

Reasonable forms for a sufficiently quantified answer include, but are not limited to:

1. A numerical value to purchase from a broker.

2. A numerical value for the budget a competent organization (such as NSO) might allocate to a team to restock their hoard at a profitable return.

3. The number, skill, likely salary, and time/person-months a competent organization might allocate to restock their hoard at a profitable return.

4. The estimated return on a vulnerability. Giving an estimate of the expenditure bound to maintain profitability.

5. The estimated number of vulnerabilities NSO is finding per year given their budget.

6. The estimated number of vulnerabilities NSO has currently hoarded given their budget. Giving an estimate of the embodied expenditures to date.

7. The estimated amount of time for a NSO vulnerability to be burned allowing the estimation of required replenishment rate.

This is not an exhaustive list of reasonable quantifications, but I think at least something along these lines should provide an adequate quantification to demonstrate the degree to which I am underestimating the state of affairs.

[rotrot]

.

[petre]

Israel did not need bullets or cruise missiles to shut down Iran's centrifiges twice. But I generally agree that the US 3 letter agencies are better funded and have more sophisticated cyberwarfare tooklits.

[saagarjha]

> The CIA also, independently of the NSA, has an organization that develops these sorts of attacks that make the NSO group also look like a bunch of kindergarteners as evidenced by the Vault 7 leaks.

Have you actually looked at the Vault 7 leaks? There’s nothing there far beyond the capabilities of a NSO-type actor. NSO is at the level of a nation state, but so are all the nation states. It’s easy to think that funneling infinite money at something will just make you that much better at something, but this isn’t true at all. Otherwise Apple and Google and Microsoft would just be unimaginably distanced from every other smaller company, and I’m sure you agree that they are not ;)

[jmnicolas]

My hunch is that size is harming MS and Google. I bet smaller companies, more focused and with the same budget would achieve more.

[rosndo]

> The CIA also, independently of the NSA, has an organization that develops these sorts of attacks that make the NSO group also look like a bunch of kindergarteners as evidenced by the Vault 7 leaks

Anyone even vaguely familiar with the Vault 7 leaks knows that they made the CIA look like a bunch of kindergarteners.

There’s no doubt about the NSAs capabilities, but the Vault 7 crowd was clearly playing in the same league as most NSO group customers.

[dillondoyle]

The FBI comment in this article is interesting in they give an offhand excuse that it could be for evaluating foreign software and threats. holds water. But so to does them buying it to use it

[MichaelMoser123]

wow, the word kindergarten is repeated four times, that doesn't communicate an abundance of confidence...

[petilon]

Because NSO is on a different level completely. Google engineers who analyzed NSA hacks found it to be "terrifying". See https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...

[vsundar]

Wow, thanks for that link. That's incredible:

> JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent.

[astrange]

They say it's terrifying but this doesn't seem like an incredible advancement on any previous "weird machine" exploits. It's just nobody else has this problem to need to write a compiler like this.

[saagarjha]

Indeed. It’s a fairly logical step in exploit development, and (while a significant amount of impressive work) not a particularly novel idea.

[JacobiX]

I don’t think it’s a single or even a fixed collection of zero days, it’s an arms race that requires constant updates to the vulnerability catalog in order to be able to exploit the latest fully patched phones.

[0a3feeb]

the competition for NSO within the US would be traditional defense contractors: raytheon, l3harris, etc.

One can make much more money with the DoD than the DoJ.

[trasz]

Law enforcement is not NSA's job. They have no reason to help FBI here.

[upofadown]

NSO doesn't ask to see your warrant...

[trhway]

Paying is the key. NSA doing it for FBI would generate no profit for anyone. Given various loopholes exploiting arrangements between allied security services, I'd not be surprised if NSA were a source of 0days for NSO.

[_kbh_]

I would 100% be surprised if NSO was being supplied with vulnerabilities from government agencies. If anything it is likely to be the other way around.

[ffhhj]

> NSA were a source of 0days for NSO

Not directly, NSA requests tech companies to slow down 0day research so they and others can exploid them.

[inter_netuser]

how are you aware of that?