[smithkl42]

If I were in charge of, say, the Mossad, I would have as a significant part of my budget purchasing every single bluetooth device on the market, and set a bunch of underemployed Israeli CS grads to work at finding these vulnerabilities, and then putting them into an easily deployed toolkit. You want an asset with access to, say, an Iranian government office, to be able to walk through the building with a phone and take control of as many machines as possible.

Now that I think about it, I think you have to assume that they probably DO do this...

[drc500free]

This is kind of backwards. There aren't as many CS grads in Israel in the first place, because they already put their top talent through 8200. It's essentially a fully socialized Masters of computer engineering, and as a SIGINT shop they are learning this sort of thing. Once their 2-3 years of service is over (which doesn't result in student loans), the government makes a lot of seed funding available for startups and the TLV ecosystem is like a mini Bay Area.

Living with your parents is more socially acceptable, so they have a huge chunk of people in their 20s with no debt, low monthly expenses, strong technology expertise from their military service, in a founder hot spot, and access to capital. The result is a lot of unicorns, particular around cyber security (https://www.techaviv.com/unicorns).

Compare to the United States, where you have to dedicate 4 years to an undergrad program, go massively in debt, pay rent, and then struggle to find seed funding. The mental model of "oh, I guess we could apply some of the detritus of our failed system" misses the idea of having a successful system in the first place.

[4gotunameagain]

..and all that human capital is used to taint humanity itself, propagating inter generational trauma and conducting the second genocide of the last century, all justified by some religious texts.

[nkrisc]

An exercise like this sounds like it would be a rounding error in any country's national security or intelligence budgets. And now with AI you could probably automate the initial screening of devices for promising candidates for further manual exploration.

I would be kind of surprised if this wasn't standard practice, unless it's not nearly as productive as one might imagine it to be, and thus maybe not worth the effort. But cases like this show it could be pretty fruitful, but I suppose that depends on how it compares to whatever other methods intelligence agencies have that we may not know about.

[beng-nl]

Just a thought, but: maybe it’s even easier to (as well as do what you suggest, which is a good idea) build and sell buggy (ie backdoored) devices.

What’s easier, marketing or finding bugs :-)

(Not a rhetorical question)

[smithkl42]

Good point. The pager attack on Hezbollah was risky because it involved physically changing the pagers enough to put explosives in them. Quite a lot easier just to ship devices with some subtly insecure code.

[pessimizer]

Pretty sure that's what NSO Group (https://en.wikipedia.org/wiki/NSO_Group) is. Israeli intelligence could also just insert vulnerabilities in cheap garbage (or even more expensive garbage like this) for NSO or NSO-like Israeli orgs to take advantage of. We know they sell pagers.

[mike_hock]

There is no way that not every intelligence agency in the world is doing this.