[vivegi]

From the article

> We believe that the main reason for this incident is the proprietary nature of iOS. This operating system is a “black box”, in which spyware like Triangulation can hide for years. Detecting and analyzing such threats is made all the more difficult by Apple’s monopoly of research tools – making it a perfect haven for spyware. In other words, as I’ve often said, users are given the illusion of security associated with the complete opacity of the system. What actually happens in iOS is unknown to cybersecurity experts, and the absence of news about attacks in no way indicates their being impossible – as we’ve just seen.

[2OEH8eoCRo0]

Shatters Apple's argument that all of these hurdles are better for security. I wonder if testimony like this could affect any of their antitrust lawsuits or right to repair lobbying.

[ben_w]

Not "shatters", as while it is a valid counter, it doesn't tell you the relative strengths and weaknesses of the two approaches, only that Apple isn't perfect which should already have been assumed.

A stronger counter to Apple's argument is the relative pricing of exploits… but the story I'm remembering is old enough that I don't want to just assume it's still true, even though it's near the top of my search results:

https://www.wired.com/story/android-zero-day-more-than-ios-z...

[calciphus]

Pricing in the exploit market is value based, not cost based.

You can sell an iOS exploit for more because the people you're targeting with it are generally wealthier.

[ben_w]

> You can sell an iOS exploit for more

If you could sell it for more, but it seems you can't sell it for more.

This implies a large supply of zero-days competing with each other on price.

[meltyness]

I reject this, but the thought makes me smile.

[flutas]

You can see that it's still the case (for Android exploits to be priced higher than Apply).

https://zerodium.com/program.html

[criddell]

It doesn't really shatter anything does it? People here are going to understand that there are trade-offs to every decision made.

I suspect iOS is not worse than the more open Android simply because senior management at Kaspersky are using iPhones. If anybody is choosing their platform with security in mind, it has to be them and they are going with iOS.

[sounds]

Previous nation-state level hacking on iPhones used exploits available on the (grey?) market. https://blog.google/threat-analysis-group/italian-spyware-ve...

[criddell]

And on that same page it says the Android version didn’t even require an exploit. The sneakiest thing that was required on Android was to write the word “Samsung” on the app icon so that users would click it.

Near the end, they say:

> This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need.

[manuelabeledo]

It reads more like an excuse than the actual reason.

Endpoint protection solutions can be installed in iOS devices. The device could also be wiped clean, eliminating the malware.

The latter should not be much of an issue in any serious organization. If any executive keeps critical data in a phone, that is already an issue.

The former is a hassle, but I have had to use locked down iPhones before, and the tradeoffs are still better than facing an intrusion.

The vulnerability and the vector could also have been present in a different form in Android devices.

All in all, I don't think this is the response Kaspersky should have come forward with.

[codedokode]

> Endpoint protection solutions can be installed in iOS devices.

How does "endpoint protection solution" protect from 0-day exploits? I guess it can do that only in marketing materials, not in reality.

[manuelabeledo]

It could definitely help detect exfiltration, for instance.

This malware was running and spreading for years. It is actually surprising that it took a security company like Kaspersky so long to detect it.

[psychphysic]

I'm very happy Kaspersky has. And that their released a tool they believe can detect past and present infection with the Triangulation Trojan.

I've not idea to what extent it's possible to have a durable trojan on iOS (probably only the makers of such trojans do know).

It's absurd to say a company should not blow the whistle on a sophisticated attack when that companys job is just that!

[manuelabeledo]

> It's absurd to say a company should not blow the whistle on a sophisticated attack when that companys job is just that!

They should definitely do it.

They should also acknowledge that they did a shoddy job. They let the malware run unchecked for several years. It is clear that the safeguards they had in place did not work, not for protection, but especially for detection.

Instead, they chose to boost the image of their own products and bash a third party vendor with a questionable reasoning.

[saagarjha]

Apple's marketing might have a different stance but engineers on their security team don't really consider these to be security features.

[gabeio]

> Shatters Apple's argument that all of these hurdles are better for security.

Sorry I don't buy that this "shatters" anything besides peoples misguided assumptions that anything can be perfectly secure without being fully disconnected.

Apple's iOS 16 supports iphone 8 which was released in 2017, 5 years ago. Apple's iOs 15 supported iphone 6 which was released in 2015, 7 years ago.

> Samsung’s previous promise to provide three years of upgrades and ensures millions of Galaxy users have access to the latest features for security, productivity, visual experience and more, for as long as they own their device.

https://news.samsung.com/us/samsung-galaxy-os-upgrade-one-ui...

They only _just_ changed to 4 years, last year.

> Samsung will now provide up to five years of security updates to help protect select Galaxy devices

They do mention 5 years of updates but only for _select_ galaxy devices (presumably the top of the line).

---

I am assuming anyone rooting/flashing is taking way more risks and security concerns into their own hands. But in length of support/security updates alone apple is winning.

I also wonder how long it actually takes a vulnerability patch (let's say for a zero day) to get out on android and then through OEM security updates. (I haven't been android in too long to know this.) Apple actually just released a way for them to do this and have already used it once, they call it "Rapid Security Responses" (which you can switch off although idk why you would).

https://support.apple.com/en-us/HT204204

[runlevel1]

Is Apple making that argument?

[throw74775]

It doesn't shatter anything except Kaspersky's good judgement. If this is true the real question is:

Why are Kaspersky's management using iPhones?

[codedokode]

Because they were deceived by Apple's quality promises?

If Apple really wanted to improve security (instead of just producing marketing claims about it) they would provide anyone with debugging symbols, root privileges and anything else needed for research and debugging.

[tux1968]

> Because they were deceived by Apple's quality promises?

The point being, with Kaspersky as security experts, it really does call into question their judgement and expertise.

[KMag]

It's entirely rational to have believed iPhone to be more secure in the past, now believe Android is more secure, and yet remain on iPhone:

  1. At some point, weigh probabilities of exploits
  2. Update Bayesian priors as new evidence arrives
  3. Even if the initial decision currently appears incorrect, there needs to be a high enough difference in probability to justify switching, because in switching, you're still exposed to any persistent exploitation via the old exploits plus new exploits on the new platform

Switching back and forth the instant your Bayesian prior swings over/under 50% for Android being more secure than iPhone is a terrible strategy. (Also, you need to risk-weight your various exploit probabilities... security is a multidimensional quantity, so collapsing to a scalar is at least context-/threat-model-dependent.)

[throw74775]

This is irrelevant to the fact that they claim expertise as to why the iPhone is less secure.

They aren’t just claiming it’s because of this one exploit or some exploit stats - they are making the claim that it’s because it’s not open source.

Since they knew this all along, we can conclude that they have poor judgment.

[Ecstatify]

Why are top management at Kaspersky using iPhones, presumably they knew iPhones were a “black box” and a security risk.

[vivegi]

I guess everyone at Kaspersky knew the risk of an attack was non-zero given their industry profile. Their SIEM finally caught it, albeit it is arguable if the detection was timely and as others in the thread have pointed out, their MDM should have detected the upgrade failures or version issues. We will probably hear about it in the detailed paper/presentation later.

Their rant on the closed nature of the ios ecosystem is more around Apple's hold on the research tools. That is what I took from the statement, among other things.

[SheinhardtWigCo]

What should they be using instead?

[SheinhardtWigCo]

Eh, of course they did. It almost almost sounds like a honeypot, even. I think there is more to this than they're saying for now.

[prox]

Why are they running iMessage? That’s the real vector here.

[vivegi]

Actually, Apple should consider making iMessage open source.

Given it is such a popular attack vector, it probably benefits the ios ecosystem to take the benefit of open source scrutiny. There are other messaging apps like Signal, WhatsApp, Telegram etc., So, it is not like a copycat would suddenly emerge and threaten Apple's position. Apple hold the keys to the app store anyway and can review any potential copycat (supposedly malicious one) and prevent it from being released.

[dmix]

I don't think you can disable iMessage.

[samtheprogram]

You can and this is trivially verifiable.

[dmix]

Right you can turn off getting any messages entirely and deregister your phone from their network. I believe what I was remembering was you can't swap out the primary SMS receiving app like you can on Android. Unless something changed. Not everyone like's to live in a security bubble w/o phone access, even the security minded.

[isx726552]

There is a switch in the Settings app to disable iMessage and just use SMS. This is an option for the built in messaging app, no need to “swap” or install another app.

[samtheprogram]

You can disable iMessage and still get plain SMS and MMS. The app is called Messages, and Apple's version of RCS is called iMessage.

But you are correct that you cannot switch to a different SMS/MMS app.

[prox]

I have it disabled. One of the first things I do on a new install.

[veave]

Why are they using iOS if they feel that way about it?

Also: iOS 16 is not vulnerable and it was released on September 12, 2022 - why are those phones out of date for so long?

[jsty]

That one of the bigger security companies seemingly didn't have MDM screaming bloody murder or outright blocking authentication for an endpoint this out of date is more than a little concerning.

Props to their SIEM for detecting it in the end, but this seems like it could've been detected and remediated a few weeks in (assuming it didn't also have the ability to spoof the iOS version).

[j16sdiz]

That's why I believe this is a made up article for selling their security product.

[vivegi]

From the comments section on Securelist page on Operation Triangulation https://securelist.com/operation-triangulation/109842/

<extract>

> SECURELIST

> Posted on June 2, 2023. 11:10 am

> Hi Bil!

> We identified that the latest version of iOS that was targeted by Triangulation is 15.7. However, given the sophistication of the cyberespionage campaign and the complexity of analysis of iOS platform, we can’t guarantee that other versions of iOS are not affected.

</extract>

[mojuba]

Does an OS upgrade remove this malware though? Maybe it doesn't and it's why so many phones were infected.

[veave]

The article says:

>An indirect indication of the presence of Triangulation on the device is the disabling of the ability to update iOS.

So I assume that the malware stops working when iOS is updated. This highlights the tremendous importance of keeping software up to date.

[vitus]

> the disabling of the ability to update iOS.

This is done by the malware.

Indeed, the identified fix involves a factory reset and upgrading iOS to prevent the malware from taking over again.

That provides a simple explanation for why the phones are running such an old version: because they've been infected and unable to be updated for that entire time.

[brookst]

I guess execs at security firms are no better than average people when it comes to noticing that their phones never got the various new features (end emojis!) from the last year of OS updates.

[vivegi]

Latest update from Kaspersky.

> June 02 2023 Update: triangle_check utility

> We have developed and made freely available the triangle_check utility, that can detect indicators of compromise in an Apple device backup. Detailed instructions on how to use it under different OSs (Windows, Linux and macOS), as well as how to create a device backup can be found in a post on Securelist. [1]

[1]: https://securelist.com/find-the-triangulation-utility/109867...

[prmoustache]

Does Kapersky release its products under open source license nowadays?

[codedokode]

Wasn't whataboutism forbidden on HN?

[wiz21c]

And it's not RMS who said it :-)