Apple's report on this tries to soft-pedal it, but it includes this:

An application may be able to execute arbitrary code with kernel privileges

That's as bad as it can get. It means the bad guys can take complete control of the phone and do anything at all they want to.
posted by Chocolate Pickle at 10:32 PM on August 25, 2016 [4 favorites]

It means the bad guys irreproachably trustworthy anti-terrorism operatives can take complete control of the phone and do anything at all they want to.

Fixed that for freedom.
posted by flabdablet at 10:42 PM on August 25, 2016 [35 favorites]

This have anything to do with that phone the FBI wanted to access? Did they make this exploit? Fortunately, I'm wearing my tin-foil android as a hat, so I am fine.
posted by Thella at 10:45 PM on August 25, 2016 [3 favorites]

Thella, I was just about to ask the same thing. I think the San Bernadino shooter's phone needed a different kind of back door, though, because the FBI couldn't crack the iPhone's password system without risking the deletion of all the phone's data after n tries. This exploit seems to requires action on the part of a user once they're already in and using their phone, not stuck at the lock screen.
posted by Hermione Granger at 10:52 PM on August 25, 2016 [4 favorites]

Guess I'm changing my mind about an iPhone....
posted by sio42

If it's any consolation, it's not much exaggeration to say that stuff like this on Android is common enough that it doesn't make headlines. : \

Unless, of course, your intended alternative is, like, a Motorola RAZR.
posted by DoctorFedora at 10:54 PM on August 25, 2016 [36 favorites]

Seriously, though, this is a pretty big deal overall and folks, ya NEEDS ta KEEP your OPERATING SYSTEMS up to date
posted by DoctorFedora at 10:55 PM on August 25, 2016 [3 favorites]

There is no safe OS, and certainly no safe OS written in C.
posted by Slothrup at 10:59 PM on August 25, 2016 [11 favorites]

crazy mufukkas wanna watch me eat a sammich at 2 in the morning mumble mumble... mnch mnch mnch ... hey heres me in my unnawear ya stoopid spies ... zzzzz
posted by not_on_display at 11:02 PM on August 25, 2016 [8 favorites]

Although it sounds like bad news, this is good news: an OS update with a fix is available now.

That's a good point.
posted by a lungful of dragon at 11:02 PM on August 25, 2016 [2 favorites]

Using an operating system is fundamentally like sex. Nothing is 100% safe, especially if it's written in C. Wait this analogy needs some work
posted by DoctorFedora at 11:03 PM on August 25, 2016 [61 favorites]

these UAE fuckers really want mansoor's connections.
posted by lalochezia at 11:05 PM on August 25, 2016 [3 favorites]

To use NSO Group’s zero-click vector, an operator instead sends the same link via a special type of SMS message, like a WAP Push Service Loading (SL) message. A WAP Push SL message causes a phone to automatically open a link in a web browser instance, eliminating the need for a user to click on the link to become infected.

Um, wow. With features like these, who needs bugs??
posted by BungaDunga at 11:07 PM on August 25, 2016 [19 favorites]

Although it sounds like bad news, this is good news: an OS update with a fix is available now.

No, it's bad news, because deliberate late-adopters with old handsets are forced back into the hardware-commodity upgrade cycle. Zero-day handset OS exploits serve the interests of hardware manufacturers.
posted by mwhybark at 11:08 PM on August 25, 2016 [15 favorites]

Oh god, I don't even have an iPhone and I don't know how I'm gonna explain to my mom how to deal with this on hers.
posted by jenfullmoon at 11:12 PM on August 25, 2016 [2 favorites]

Zero-day handset OS exploits serve the interests of hardware manufacturers.

yeah but like

so does putting airbags into cars
posted by DoctorFedora at 11:13 PM on August 25, 2016 [32 favorites]

jenfullmoon, you tell her: "go to Settings, tap General, then tap Software Update"
posted by DoctorFedora at 11:17 PM on August 25, 2016 [25 favorites]

I don't know how I'm gonna explain to my mom how to deal with this on hers.

Open the Settings app, go to "General", then "Software Update". If it doesn't say "iOS 9.3.5 / Your software is up to date.", it will show iOS 9.3.5 as an available update. When connected to wifi and plugged in or with a reasonably full battery, tap "Download and Install", and once the download has finished tap "Install".

As long as she doesn't have an iPhone older than the iPhone 4S and isn't intentionally sticking to an out-of-date version of iOS, this should be fairly quick and easy. I was already on 9.3.4, so the security update only took a minute to download and install—if she was more behind on OS updates, it could take a bit longer. Her phone should also automatically prompt her to install the update at some point in the next couple of days (and nag if she doesn't update), if she doesn't do it manually first.
posted by JiBB at 11:23 PM on August 25, 2016 [6 favorites]

Zero-day handset OS exploits serve the interests of hardware manufacturers.

Like 3% of iPhone users are using phones that are too old for this update. If you throw in the 4S users still using older versions, that comes up to like 5%. Given that these people are demonstrated not to be a huge lucrative market, it's almost certainly better for Apple to just avoid the bad press and cost of deploying the update for the remaining 95% of devices.
posted by aubilenon at 11:27 PM on August 25, 2016 [4 favorites]

Zero-day handset OS exploits serve the interests of hardware manufacturers

Sure, but Apple is supporting 5-6 year old hardware with security updates still. One can argue about whether that's long enough, but it's not like 18-month old phones are being left unpatched like you see on Android.
posted by zachlipton at 11:27 PM on August 25, 2016 [23 favorites]

I'm trying to think of a more paranoid notion than that zero-day exploits benefit smartphone makers

Like, yes, I am so shocked at the gaping security hole found in my phone that I guess my only option is to buy another product made by the same company that made the thing that failed

Like there's some sort of conspiracy behind toothbrushes wearing out over time or something
posted by DoctorFedora at 11:35 PM on August 25, 2016 [16 favorites]

3%

This is not a small number to anyone except possibly Apple.
posted by regularfry at 11:36 PM on August 25, 2016 [9 favorites]

No, it's bad news, because deliberate late-adopters with old handsets are forced back into the hardware-commodity upgrade cycle. Zero-day handset OS exploits serve the interests of hardware manufacturers.

The next version of iOS, which hasn't come out yet, is going to run on iPhone 4S, a phone so old it was announced when Steve Jobs will still alive. There are Android devices you can go buy in the store right now that will not be supported long enough to get a single security update.
posted by sideshow at 11:44 PM on August 25, 2016 [37 favorites]

Given that these people are demonstrated not to be a huge lucrative market, it's almost certainly better for Apple to just avoid the bad press and cost of deploying the update for the remaining 95% of devices.

Yeah so fuck em amirite? Lol poors smdh

< /hamburger>
posted by clorox at 11:47 PM on August 25, 2016 [3 favorites]

I think that's more a reading of "can't make things 100% perfect so why even try"
posted by DoctorFedora at 11:56 PM on August 25, 2016 [9 favorites]

Ah, sideshow, it apparently actually won't support the 4S. It'll only support back to the iPhone 5, which was released in 2012.
posted by DoctorFedora at 12:01 AM on August 26, 2016

I'm kind of amazed that memory corruption hacks are still a thing, particularly on a closed platform like Apple's, running Apple's own software.
posted by Joe in Australia at 12:07 AM on August 26, 2016

According to Ars Technica, this has already been patched in the latest iOS 10 beta.

I'm kind of amazed that memory corruption hacks are still a thing, particularly on a closed platform like Apple's, running Apple's own software.

Their entire stack is written in C, so memory corruption exploits are going to be endemic.
posted by grahamparks at 12:20 AM on August 26, 2016 [2 favorites]

Using an operating system is fundamentally like sex. Nothing is 100% safe, especially if it's written in C. Wait this analogy needs some work

Can I submit, for your consideration, some variation on the M. Python jest, "Why is IOS like continually starring in illegal porno films dubbed for mer-people? - because it's always fucking, risky, in the C language".

No? Uh ... Oh yeah that was someone hacking my kernel. No, what I was going to say before I was hacked was: "Why is IOS like a gang of mid-ranking Army officers throwing rocks at their superior officer while he has sex in the ocean? Because there's a Major risk to your Fucking Colonel in the C".

Umm ... Yeah that one was hackers too. Not me. Hackers. Sure.
posted by the quidnunc kid at 12:41 AM on August 26, 2016 [23 favorites]

A truly horrendous zero-day exploit has been revealed

It's three zero day exploits, and a piece of code that takes advantage of them all to totally own your iPhone. The name "Trident" comes from the 3 zero-days used.

A modern OS has multiple layers of security so it takes more than one exploit to gain this much control over the device. It's like a prisoner who needs one trick to break out of his cell, another to get out of the building, and finally a third to get over the wall outside.
posted by w0mbat at 12:45 AM on August 26, 2016 [4 favorites]

Want a one-sentence explanation for how serious this attack was?

"This is like being in an episode of Person of Interest and having Harold Finch hack your phone."
posted by Major Clanger at 12:46 AM on August 26, 2016 [10 favorites]

So, as an iPhone 4 user, am I basically screwed?
posted by kyrademon at 12:48 AM on August 26, 2016

In fact, I would not be at all surprised if it turned out that the customer brief to NSO Group was to point them at PoI and ask for all that functionality, for real, please.
posted by Major Clanger at 12:49 AM on August 26, 2016

So the best way to capture zero days and collect bounties on them is become a pro democracy human honeypot?
posted by benzenedream at 12:52 AM on August 26, 2016 [6 favorites]

Tried to do this via iTunes just now. The download timed out a few times, there's no indication of how far along it gets, just one of those damn ubiquitous spinners that should be a UX badge of shame, there's no ability to pick up a failed partial download despite the fact that modest FTP clients did a better job with this 20 years ago.

Okay, well, let's try doing this on the phone, with General > Software Update... hey, look, there's progress bar, and an estimated time beneath it. That's nice. And the estimate seemed accurate, and now it's "preparing update."

Seems to fit with the general view of Apple's weird approach: iOS/mobile is important, but iTunes users can die in a fire. Possibly along with Mac users in general.
posted by wildblueyonder at 1:05 AM on August 26, 2016 [2 favorites]

Well, to be fair, iTunes has been kind of a dumpster fire for everything other than just playing music for roughly as long as iTunes has been able to do something other than just play music : P
posted by DoctorFedora at 1:15 AM on August 26, 2016 [20 favorites]

Hey, now! iTunes is a dumpster fire for playing music, too.
posted by Itaxpica at 1:20 AM on August 26, 2016 [60 favorites]

Thanks for this: updated this morning.
posted by Sonny Jim at 1:22 AM on August 26, 2016

Guess I'm changing my mind about an iPhone....

Isn't it odd that these types of musings never seem to complete the thought after the ellipsis.

Are they giving up on smartphones altogether? Do they have an alternative in mind that has documented better security protocols?
posted by fairmettle at 1:24 AM on August 26, 2016 [11 favorites]

They're gonna build their own rig from parts for their pocket computer needs
posted by DoctorFedora at 1:26 AM on August 26, 2016 [7 favorites]

From the technical report from security firm Lookout:

Based on artifacts in the code, this spyware has been in the wild for more than two years. The exploits have configuration settings that go all the way back to iOS 7, which was released in 2013 and superseded in 2014.

and

NSO Group reportedly has hundreds of employees and makes millions of dollars in annual revenue, effectively as a cyber arms dealer, from the sale of its sophisticated mobile attack software. NSO is only one example of this type of cyber mercenary: we know that it is not the only one, as we’ve seen with the Hacking Team, Finfisher, and other organizations that compete in this space.

While this report is focused on the iOS version of the software, Lookout and Citizen Lab are aware that NSO Group advertises Android and Blackberry versions and are investigating those as well.

So basically the world just flat out sucks if you're a dissident and you use any kind of smartphone.
posted by Rhomboid at 1:27 AM on August 26, 2016 [9 favorites]

Like 3% of iPhone users are using phones that are too old for this update.

Does that make us an elite? The "why should we have to pay top dollar to replace a perfectly functional piece of hardware because of a software exploit" elite? The "keep using expensive tech for as long as possible so that you minimise the impact on the planet of all the rare earth metals and plastic that goes into them" elite?

Oh well, at least my 2006 iPod still works.
posted by rory at 2:19 AM on August 26, 2016 [13 favorites]

They're gonna build their own rig from parts for their pocket computer needs

I'm hoping carriers and manufacturers start getting coerced into maintaining and securing older devices. There's a chance:
FCC And FTC Join Forces To Investigate Slow And Missing Security Updates On Mobile Devices
posted by sebastienbailard at 2:31 AM on August 26, 2016 [1 favorite]

Why iOS still has C legacy cruft that allows this sort of thing:

... Because iOS is basically a new application-level skin on top of the existing Mac OS X kernel, filesystem, and underpinnings.

... And Mac OS X started out as NeXTSTEP with a (classic) Mac OS compatability layer bolted on top to allow it to run legacy applications going back to 1984 or thereabouts.

... But NeXTSTEP in turn is a shiny new-in-1985 graphical interface on top of BSD UNIX running on a Mach microkernel.

... And development of the BSD UNIX distribution that went into that started in 1977.

TLDR: Your shiny new iPhone has software inside it that can trace its origins back nearly four decades. It's truly ancient, compared to most other technological artefacts you will use in your day-to-day life, and while it's very sturdy (it was designed by very smart people and since then it's been hammered by hundreds of millions of folk over multiple decades) it predates modern design practices centered around hardening software that runs in a hostile environment (because the environment your phone runs in was science fiction back then).

NB: Android isn't necessarily any better: Android is basically a graphical shell running on top of a Linux kernel and userland, and Linux turned 25 this week.
posted by cstross at 2:44 AM on August 26, 2016 [38 favorites]

So is there any operating system out there that matters that ISN'T built on C? To my understanding the Windows kernel and Android are also very C-heavy if not C-based.
posted by DoctorFedora at 3:07 AM on August 26, 2016 [3 favorites]

Tried to do this via iTunes just now. The download timed out a few times, there's no indication of how far along it gets, just one of those damn ubiquitous spinners that should be a UX badge of shame

Clicking on the spinner in iTunes provides the total file size, amount downloaded, and time remaining, with a progress wheel.
posted by AndrewInDC at 3:31 AM on August 26, 2016 [3 favorites]

My 4s is currently downloading, will let you know how it progresses. We're at "downloading", just using the phone's software updating service, because dumpster fire.
posted by Jilder at 3:37 AM on August 26, 2016

Well *points both thumbs at self* some handsome guy with a Cricket flip phone is looking preeeeetty smart right now. *smugly leans back in chair, falls backward*
posted by duffell at 3:40 AM on August 26, 2016 [36 favorites]

> So is there any operating system out there that matters that ISN'T built on C? To my understanding the Windows kernel and Android are also very C-heavy if not C-based.

Short answer is no. C is the systems programming language. There is at least one fan project to build an operating system in RUST, but that's not ready yet, and it's not going to run on your phone, and if you somehow managed to port it, it wouldn't support any apps.

Memory safety is not generally recognized as a business requirement by sales people.
posted by I-Write-Essays at 3:54 AM on August 26, 2016 [4 favorites]

I supose it's too much to hope that when they announce the new iPhone 7 presumably this month that they offer some sort of "turn in your 4/4S that we aren't going to patch for some credit towards new purchase" eh?

My iPhone 4 isn't obsolete, dammit, it's vintage
posted by romakimmy at 3:56 AM on August 26, 2016 [3 favorites]

Every security update comes with a link to HT1222. It is where Apple posts the list of bugs they patched.

Have a look some time. There's a "Visiting a maliciously crafted website may lead to arbitrary code execution" bug fixed in almost every iOS release. (Android version)
posted by you at 3:58 AM on August 26, 2016 [3 favorites]

Update: Patch installed without issue, vital apps all still loading fine. So unless mine is an outlier, the 4s is likely to be securable.
posted by Jilder at 4:02 AM on August 26, 2016 [1 favorite]

Their entire stack is written in C, so memory corruption exploits are going to be endemic

I wonder whether there's a project going on somewhere at Cupertino as we speak to rewrite the stack, from the Darwin kernel upwards, in Swift (a language which, if used without any self-consciously unsafe practices, eliminates the kinds of pointer errors endemic in C). It wouldn't surprise me if there was; it also wouldn't surprise me if, in some future iOS/MacOS version, the kernel was replaced with a Swift-based one without any high-profile announcement.
posted by acb at 4:05 AM on August 26, 2016 [1 favorite]

That's as bad as it can get. It means the bad guys can take complete control of the phone and do anything at all they want to.

Oooo, they can overlay one application's screen over another like with Android?!
posted by Brandon Blatcher at 4:07 AM on August 26, 2016 [5 favorites]

C is the systems programming language.

For historical reasons. (It coevolved with UNIX, and was adopted by Microsoft and Apple as well.) There is no reason why kernel-level code can't be written in a higher-level language. Apple's Swift should theoretically be up to the purpose; at the end stage, both C and Swift feed into the same LLVM code generator and produce tight machine code.
posted by acb at 4:08 AM on August 26, 2016 [2 favorites]

> There is no reason why kernel-level code can't be written in a higher-level language.

You just named named the reason. Historical reasons are the strongest chains of all. We'll need a lot of people and their students to die before we can move on. Once you put something in production, you have etched it in stone. 40 years of history is considered an advantage by decision-makers. Apple will need to suffer an existential crisis before they change their stack to something revolutionary.
posted by I-Write-Essays at 4:15 AM on August 26, 2016 [1 favorite]

Writing an entire operating system is a huge heavy lift, there's a reason that it's not done very often and that most companies re-use older projects like Linux or BSD. We're talking millions of lines of code here, not something that even Google or Apple really wants to pay engineers to re-invent.
posted by octothorpe at 4:28 AM on August 26, 2016 [4 favorites]

Though the most critical parts of it would be easier to replace. Rewriting libc in Swift would be an expensive and unrewarding undertaking, of the sort that would be put off until it's unavoidable. However, it would be far more important to rewrite the kernel and the logic that enforces access controls. iOS and macOS are based on Apple's Darwin kernel, which consists of a Mach-derived microkernel and a BSD-compatible subsystem. This is controlled by Apple, and is a fairly compact part of the OS, and is also nicely compartmentalised, communicating with clients through a combination of Mach ports and UNIX system calls.

If it is the received wisdom that nontrivial-sized code written in a C-like language with memory pointers is, by definition, full of holes, it would make sense for a project to develop a “next-generation kernel”, written in a safe language (which may or may not be Swift), maintaining compatibility with the existing interfaces sufficiently to serve as a drop-in replacement. Where the interfaces themselves are unsafe (due to throwing around memory buffers), the options would be to come up with new ones which are safer and deprecate the old one (keeping them for compatibility reasons, but error-checking the hell out of them, even if it reduces performance; if you want higher performance, use the new interfaces). Given that Apple control the stack, they could easily update the (C-based) libraries to switch over to the new interfaces in time for the same OS release as the kernel's debut.
posted by acb at 4:31 AM on August 26, 2016 [2 favorites]

Writing an entire operating system is a huge heavy lift, there's a reason that it's not done very often and that most companies re-use older projects like Linux or BSD. We're talking millions of lines of code here, not something that even Google or Apple really wants to pay engineers to re-invent.

OTOH, Apple invest a lot in controlling their stack; they design their own CPUs, for example. They also have a huge R&D budget, which has been growing rapidly throughout Cook's tenure. Throwing a few hundred engineer-years at rewriting the kernel for their OS family wouldn't be a bridge too far for them.
posted by acb at 4:46 AM on August 26, 2016 [3 favorites]

When I read "truly horrendous," I was expecting an exploit that would make the phone emit cancer-causing radiation, or explode in the user's hand, or something. Apparently, not so much.

"As security breaches go, this is fairly serious, considering how fast Apple addressed it," says Andrew Blaich, a staff researcher at Lookout.

posted by Kirth Gerson at 4:50 AM on August 26, 2016 [1 favorite]

Wow, when did C-hating becom4 a talking point of the don't hack me bro scene? That's new. I swear iv3 followed hundreds of these kinds of discussions and never saw it before.
posted by Bovine Love at 4:55 AM on August 26, 2016 [5 favorites]

I supose it's too much to hope that when they announce the new iPhone 7 presumably this month that they offer some sort of "turn in your 4/4S that we aren't going to patch for some credit towards new purchase" eh?

The UK store offers something of that kind already, so I checked what my own iPhone 4 would be worth. £25, apparently. I wonder if that will go down now that it's even more obsolete than planned.

When I read "truly horrendous," I was expecting an exploit that would make the phone emit cancer-causing radiation, or explode in the user's hand, or something. Apparently, not so much.

The example given in the "more coverage" link seemed horrendous to me. Prominent human rights defender Ahmed Mansoor was targeted with this exploit. The sort of people who would have reason to target him can't be up to anything good.
posted by rory at 5:05 AM on August 26, 2016 [1 favorite]

Wow, when did C-hating becom4 a talking point of the don't hack me bro scene?

Possibly since we had alternatives actually going somewhere. (In PL communities C has been a constant whipping boy for this reason).

Rust is the poster boy, and it's being used to write a web browser. Which if you haven't noticed is the front line defense in many attacks, including this one, and is subject to the same penetrate-patch-repeat cycle.

Swift is not really a language for kernels or C libraries, in its current form. It's an application programming language, designed as a sort of safe frontend to Objective C and the apple APIs.

C++ "core guidelines" are commonly fan-boyed as a Rust-killer, despite still needing massive handwaves when comparing its safety properties.

Shipping Rust in Firefox - LWN.net
"Safe C++ Subset" Is Vapourware
posted by sourcejedi at 5:06 AM on August 26, 2016 [2 favorites]

By reading these responses, i'm concerned if I keep my iphone 6 plus longer than a 2 year upgrade cycle. I'm tired of buying expensive phones every two years. If I wait until the phone breaks, will I continue to get critical updates like this?

Knowing apple, they will probably make it impossible to update several years out.
posted by 81818181818181818181 at 5:29 AM on August 26, 2016

Dude, I don't know what smartphone industry you've been watching, but Apple is literally your only hope for getting meaningful software support for more than like 18 months after release date on a smartphone.
posted by DoctorFedora at 5:34 AM on August 26, 2016 [26 favorites]

Try explaining to your luddite family why they can't just 'rewrite it in something secure'

Show them that report from Lookout that Rhomboid shared. Show them how much time and effort is spent 'unsecuring' everything.
posted by DigDoug at 5:34 AM on August 26, 2016 [2 favorites]

By reading these responses, i'm concerned if I keep my iphone 6 plus longer than a 2 year upgrade cycle. I'm tired of buying expensive phones every two years. If I wait until the phone breaks, will I continue to get critical updates like this?

The iPhone 4 was discontinued just under three years ago. The final iOS version it supports (7.1.2) was released just over two years ago. Your concern is justified.
posted by rory at 5:44 AM on August 26, 2016 [1 favorite]

I'm on a 4S: it will not admit there even ARE any updates, let alone install it.

Dammit, this thing is little more than three years old. I already knew I'm going to have to replace it soon-ish (the battery is starting to run down much faster than it used to), but damned if I enjoy spending money just to 'keep up with the (technological) Jones'.
posted by easily confused at 5:44 AM on August 26, 2016 [1 favorite]

hey heres me in my unnawear ya stoopid spies ... zzzzz
posted by not_on_display

Eponyster-ick-al
posted by aught at 5:56 AM on August 26, 2016

But if they patch this, how will Elliot hack the FBI? Shit, they're on to us, WIPE EVERYTHING. *sound of hard drives crackling in a microwave*
posted by fungible at 6:11 AM on August 26, 2016 [2 favorites]

> Dude, I don't know what smartphone industry you've been watching, but Apple is literally your only hope for getting meaningful software support for more than like 18 months after release date on a smartphone.

CyanogenMod isn't strictly part of the “industry”, but my 3 year old android unit is up-to-date with the latest Google security patches.
YMMV depending on model type and age, of course.
posted by farlukar at 6:25 AM on August 26, 2016 [5 favorites]

The sort of people who would have reason to target him can't be up to anything good.

So, maybe truly horrendous sorts of people. Doesn't make the exploit any more horrendous than some other one they might have used.
posted by Kirth Gerson at 6:32 AM on August 26, 2016

YMMV depending on model type and age, of course.

And therein lies the crux. Part of the selection of an Android handset is literally "will my phone get patched". The fact that this has to be an element of handset selection in 2016 is a complete fucking failure on behalf of the market.
posted by Talez at 6:35 AM on August 26, 2016 [6 favorites]

Swift is not really a language for kernels or C libraries, in its current form. It's an application programming language, designed as a sort of safe frontend to Objective C and the apple APIs

Not quite. Swift reaches to a lower level than Objective C; ObjC's model is a runtime dynamic dispatch model, closer to Python or Ruby in its operation. Swift is more statically typed and relies on more being done at compile-time (except for where it interfaces with legacy Objective C APIs); dispatch is done with C++-style virtual method tables. Meanwhile, the compiler is fairly smart and can generate pretty tight code from higher-level structures than the usual C pointer-arithmetic loops they replace. I'm not sure if it is ready for kernel use yet, though I see no reason why it'd be inherently unsuitable.
posted by acb at 6:42 AM on August 26, 2016 [4 favorites]

> How many people who run custom ROMs leave their bootloader unlocked?

Probably all of 'em. And in my case, it wasn't even locked to begin with.
I don't see that being easily exploited without physical access though, but I'm not much of an expert on that.
posted by farlukar at 7:08 AM on August 26, 2016

I'm tired of buying expensive phones every two years.

It's planned this way. Phone companies, like car dealerships, want you to make monthly payments to them for the rest of your natural life. Hopefully some day we'll catch on.
posted by Melismata at 7:10 AM on August 26, 2016 [1 favorite]

That detailed write-up is really great. I'm finding it hard to believe this stuff wasn't engineered by a government actor.

According to the Citizen's Lab report linked upthread, all signs point to a specific private sector group that sells their "consulting" services to governments.
posted by indubitable at 7:12 AM on August 26, 2016

Hopefully some day we'll catch on.

Once Moore's Law flattens out (in the next decade or two, sometime around vat-grown hamburgers and a cancer cure) and the design of the microprocessor/computer matures in the way the design of the automobile or the airliner has, perhaps then we will see phones/tablets which are built to last for life. (That'll will also be the time that luxury gadget brands like Vertu and things like the Apple Watch Edition become something other than ridiculous markers of having more money than common sense.)
posted by acb at 7:15 AM on August 26, 2016 [1 favorite]

According to the Citizen's Lab report linked upthread, all signs point to a specific private sector group that sells their "consulting" services to governments.

They're an Israeli security firm, so chances are they'd be pretty tight with Mossad/Shin Bet (the Israeli security establishment keeps its own close).
posted by acb at 7:16 AM on August 26, 2016

NSO, the malware company that peddled this exploit to the United Arab Emirates is owned by American private equity firm Francisco Partners.
posted by Nelson at 7:18 AM on August 26, 2016 [1 favorite]

The iPhone 4 was discontinued just under three years ago. The final iOS version it supports (7.1.2) was released just over two years ago. Your concern is justified.

The iPhone 4 is six years old, though it was sold for several years longer. (It was discontinued four years ago, not three.) Apple's legacy support has improved over generations, moreover, with the iPhones 5 and 5S receiving a wider swath of updates relative to their release time. Generally, their devices have become considerably more powerful, which means they're able to keep up with updates without dissolving into a laggy morass. iPhones 5 are still pretty usable as of 2016; I was using one until very recently.

As DoctorFedora points out, Android legacy support is a horrifying nightmare. iPhone legacy support should get better over time ("should" as in "ought to", not as in "probably will"), but as far as smartphones go, it's likely the safer bet.
posted by rorgy at 7:18 AM on August 26, 2016 [2 favorites]

Once we get phones running nothing but linux, we'll all compile our phone OS from source every morning. Patches will be deployed seconds after they're coded. And all bugs will be shallow, and hacking will be a forgotten pastime.
posted by blue_beetle at 7:33 AM on August 26, 2016 [2 favorites]

Sometimes I think it might be nice to get a smartphone. Today is not one of those days.
I was really waiting for Firefox OS... but then the project went titsup. :-/
posted by Too-Ticky at 7:37 AM on August 26, 2016

Yeah, I would love to see Rust take over the world. I think it's going to happen in the long run, though there will still be a lot of old c lying around for decades, much as we've still got Cobol running the airline industry....
posted by kaibutsu at 7:49 AM on August 26, 2016

How many people who run custom ROMs leave their bootloader unlocked?

Not to minimize this, but I will put up with a vulnerability that requires physical access to my device in exchange for actually getting critical remote exploits patched. Also, if your phone is encrypted (which I would think would be the case for most security-conscious people running CM) this is a moot issue.

I'm so happy that for the most part these days I can just stick to my safe little walled garden of managed code with C# and PowerShell. Of course, occasionally I am exposed to the illusory nature of this security when I am forced to do things like work with unsafe native methods using BSTR pointers that can easily pass embedded nulls and lies about length to any of the billion things expecting null terminated strings to accomplish something as trivial as using SQL Server authentication in a script when storing the password using Microsoft's own "Secure String" type.
posted by [expletive deleted] at 7:51 AM on August 26, 2016

The next version of iOS, which hasn't come out yet, is going to run on iPhone 4S, a phone so old it was announced when Steve Jobs will still alive. There are Android devices you can go buy in the store right now that will not be supported long enough to get a single security update.- sideshow

1. No, it won't be supported (bottom of page)

2. I guess you could say Steve Jobs was still alive. For one day. iPhone 4S/Jobs
posted by readyfreddy at 7:57 AM on August 26, 2016

there will still be a lot of old c lying around for decades, much as we've still got Cobol running the airline industry....

OTOH, between the heyday of COBOL on big-iron mainframes and now, the problems of tight coupling have become more widely understood (and memory/CPU power have become more abundant, making such extreme parsimony redundant), so upgrading more modern systems might be easier than doing so with a load of ancient mainframe systems.
posted by acb at 8:01 AM on August 26, 2016

Although it sounds like bad news, this is good news: an OS update with a fix is available now.

Suppose you see a cockroach (or three) scuttle across your kitchen floor and kill it. On the plus side, three less cockroaches! On the minus side, your house is probably infested with them.

One of these hacker companies is valued at a billion dollars. They probably have a stockpile of dozens of these zero day exploits. Now that they've been rumbled with this one they'll just move onto using others.
posted by L.P. Hatecraft at 8:03 AM on August 26, 2016 [1 favorite]

Well, my Nexus 9 just got Android 7, and that's getting on for two years old. And I just bought a twenty quid smartphone, new, that's running Android 4 (and will NOT be getting any personal data or access privs beyond my guest Wifi SSID and a pre-pay SIM) - so you pays your money and you takes your choice.

I don't know any business model that works for very cheap phones with good software updates. That's not an Apple vs Android story, that's a fact of life. Aviation deals with a similar issue by regulating platforms to the extent that if you want a cheap aircraft, you have to build it yourself - you don't get to sell it to the public. Either adopt that model, invent a new business model that allows you to make a competitive cheap phone with solid security, or stop kvetching already. Such things are technically possible - i'm very happy with Linux, for which I've paid nothing and which is as secure as I care to make it, and off the bat is pretty damn good - but incompatible with the way the mobile phone ecosystem is currently structured.

Society decides how much security it's prepared to pay for, in money and time, and it decides by cutting back until something terrible happens. That something terrible hasn't happened yet in computer security. When it does, then the necessary engineering will happen - and the biggest problem isn't the choice of language for the OS (or even whether the traditoinal OS model is the right way to do things), but the lack of precision and capability in defining and testing 'security'. You can't engineer without measuring.
posted by Devonian at 8:15 AM on August 26, 2016 [4 favorites]

DoctorFedora: "so does putting airbags into cars"

You don't have to buy a new car when the airbags go off in your five year old Beetle.
posted by Mitheral at 8:16 AM on August 26, 2016 [2 favorites]

The iPhone 4 is six years old, though it was sold for several years longer. (It was discontinued four years ago, not three.)

I was going by Wikipedia's dates - "Discontinued September 10, 2013". I know we're all wishing that 2016 was over aleady, but still. Apparently it was even "available in some developing countries until early 2014". Two and a half years of useful life for people buying them there, then.

Phones 5 are still pretty usable as of 2016; I was using one until very recently.

The iPhone 4 is still pretty usable as of 26 August 2016, leaving aside this security concern - I'm using one now. The phone works, iCal works, Safari works, the camera and Photos work, the weather app works, and the third party apps I personally use still work. I can't do panorama photos, and don't have Siri, but as long as I no longer have to do multi-tap texting and have access to the web in my pocket I'm happy.

gonna point out helpfully that the comment I quoted was posted by rory, not rorgy, and that we really are different people. mainly because I have a "g" in my name and they don't.

Indeed. I'd consider asking cortex to tweak my nick to Rory, which is my actual name, to help clear up the confusion, except that when Rory Marinich was active it was just as weird to see people refer in threads to "Rory" and mean him and not me. In the grand scheme of things, it works out okay.
posted by rory at 8:17 AM on August 26, 2016 [2 favorites]

Using too much C in operating systems is a problem, but switching languages alone will only be a small step. The fact is, that even if we wrote the OS and all the firmware in Haskell or something, with a minimal bootstrap like L4 that is small enough to prove correct...and that's already fantasy land at this point...then hacking will shift focus away from OS exploits and move toward "trusting trust" problems.

Your OS and firmware are rock solid? OK, where did you get your compiler from? Where did the chip maker get their VHDL tools from? Are you sure some actor didn't secretly commit code that injected attacks that are invisible to you? Ok, you think you're OK, what about the hardware manufacturer? Do you trust them? These things are already a problem in the field.

With security, it's turtles all the way down I'm afraid.

That said, yes, it would be nicer if we graduated to a better systems language from C. We're almost there with things like Rust, etc. but not quite yet.
posted by delicious-luncheon at 8:19 AM on August 26, 2016 [5 favorites]

Any piece of electronics that you are carrying around in your pocket with antennae and programming that actively seek to connect to radio signals is, at the most basic level, an inherently insecure platform. Of course, identified vulnerabilities need to be patched as best they can, but we shouldn't be under any illusions that our iPhone 6s is now "secure." And on the other side, I think there's a bit of hyperbole in saying that an iPhone 4 or earlier is now functionally obsolete. A lot of this comes down to user behavior (don't click on links from strangers, etc.).
posted by AndrewInDC at 8:24 AM on August 26, 2016 [1 favorite]

Well cool, I upgraded my iOS and now all my precious Apple Music playlists are gone.

I'm not being sarcastic. That's devastating. I've been carefully crafting dozens of playlists for almost a year now.
posted by malapropist at 8:30 AM on August 26, 2016

cstross, There are extremely few languages suitable for systems programming. Anything with a garbage collector like Go, Java, OCaML, etc. suffers from unpredictable latency.

Rust is our first serious option to replace C code throughout the stack. It does so by expanding the power of the type system to handle allocations. In doing this, Rust wins far more than garbage collectors provide, even eliminating some classes concurrency bugs. And the language teams seems much more concerned about security overall.

It's true that Arcs in Swift do reduce the latency from garbage collection, while avoiding many manual memory handling errors. Arcs cannot provide the static assurances provided by Rust's type system though. And they still incur some runtime costs. Also, Apple is unlikely to rewrite their kernel, sure they care about security, but not that much. And nobody but Apple uses Swift.

There are now projects to write microkernels in Rust, but nothing afaik with backing from major players. Also, the GPL played an important role in Linux success by ensuring that drivers got released. I'd therefore wager say Redox with its MIT license would depend upon a Linux VM for say your Broadcom wifi card driver. And all this new hardware all needs broken ass binary blobs anyways!
posted by jeffburdges at 8:37 AM on August 26, 2016 [1 favorite]

Apple does much worse, malapropist.
This Video Proves That Apple Actually Is Deleting Music Files Off Some People’s Hard Drives
posted by jeffburdges at 8:42 AM on August 26, 2016 [1 favorite]

And nobody but Apple uses Swift.

IBM are betting on it (on the server side, hosted on Linux) in a big way. Google are rumoured to have an internal project experimenting with replacing Java with Swift for Android development. Once Swift on Linux is no longer a prerelease, I imagine there'll be even more people looking at it.
posted by acb at 8:54 AM on August 26, 2016 [2 favorites]

Suppose you see a cockroach (or three) scuttle across your kitchen floor and kill it. On the plus side, three less cockroaches! On the minus side, your house is probably infested with them.

I disagree. iOS has been so thoroughly hardened that an exploit like this requires chaining 3 different 0-day vulns together in a very clever way. This was so rare that a nation-state actor kept it up their sleeve to target a specific person. It probably had a black market value upwards of a million dollars and it got squashed as easily as some alert target sending the suspicious URL along for analysis instead of clicking through. To me, that is saying that iOS is as secure a platform as you can hope for right now without dropping (probably literal) megabucks on military grade, high assurance devices for yourself and all your co-conspirators.

If these were common, everyone would be finding them and you wouldn't see them siloed away at intelligence agencies and sketchy private malware firms.
posted by indubitable at 9:24 AM on August 26, 2016 [6 favorites]

a minimal bootstrap like L4 that is small enough to prove correct...and that's already fantasy land at this point...

seL4
posted by indubitable at 9:28 AM on August 26, 2016

Apple does much worse, malapropist.

After reading TFA, it guesses that this is a bug. Do not attribute to conspiracy what can be explained by incompetence.
posted by pashdown at 9:33 AM on August 26, 2016 [1 favorite]

To me, that is saying that iOS is as secure a platform as you can hope for right now without dropping (probably literal) megabucks on military grade, high assurance devices for yourself and all your co-conspirators.

I'd wager that a large reason "military grade" devices are secure is their attack vector is small. I could make a ButtPhone 2000 out of Linux and Chinese parts and it would be more secure because there is only one. That doesn't mean that it is impervious to attack though. Nothing is.
posted by pashdown at 9:36 AM on August 26, 2016 [1 favorite]

I could make a ButtPhone 2000 out of Linux and Chinese parts and it would be more secure because there is only one.

No. Cobbling together your own device is not the same thing as conforming to a recognized set of security criteria and practices. Extrapolating from whatever your experience with Windows or Linux has been and then throwing up your hands and exclaiming "it's impossible!" is not a helpful way to model what's possible in information security.
posted by indubitable at 9:42 AM on August 26, 2016 [2 favorites]

Dude, I don't know what smartphone industry you've been watching, but Apple is literally your only hope for getting meaningful software support for more than like 18 months after release date on a smartphone.

Uh, there's an (Android) Nexus 5 on the table here that's 33 months old and was over-the-air updated to Marshmellow, without me having to manually go download anything, the first week it was available. It's not going to get an official Nougat (7.x) release so it probably only has another year or so of patches coming. Let's say circa 45 months. My old Nexus 10 was on the latest and greatest without me lifting a finger for 36 months and continued to get security patches (post-6.x) until I killed it in a horrible luggage accident. Etc. Etc.

If you buy devices with a known history of long-term support you get a device with long-term support.
posted by introp at 9:43 AM on August 26, 2016

Cobbling together your own device is not the same thing as conforming to a recognized set of security criteria and practices.

The military never gets hacked?
posted by pashdown at 9:49 AM on August 26, 2016

How many people who run custom ROMs leave their bootloader unlocked?

Not to minimize this, but I will put up with a vulnerability that requires physical access to my device in exchange for actually getting critical remote exploits patched. Also, if your phone is encrypted (which I would think would be the case for most security-conscious people running CM) this is a moot issue.

An unlocked bootloader doesn't open up remote access directly but it gives a successful attacker better options for hiding and persisting the compromise, including defeating things like encryption. When the bootloader is unlocked, you can install a compromised OS, replace the recovery images, and install firmware, all of which can make it basically impossible to trust the device in the future or even detect the compromise unless the attacker makes a mistake since they can control what you'd see from the OS running on the device or over a USB interface and even pulling out an SD card wouldn't help if e.g. the rootkit was installed in a custom firmware module. The net effect is that if the device has an unlocked bootloader and it's ever out of your control or compromised, your only safe option is to throw it out and buy a new one.

This is an area where I wish we had some legal requirements to soften the model Apple has, which is the right one for the vast majority of users but freezes out tinkerers and anyone with an irresponsible manufacturer. You always want a secure bootloader but there should some way – boot while holding down a switch and answer a “Yes, I want to give all of my personal data to [signer]” prompt, and reset the hardware FDE keys to “erase” all previous data, etc. – to install a certificate which could be used to sign third-party binaries.
posted by adamsc at 9:56 AM on August 26, 2016 [1 favorite]

jeffburdges, am I a part of the problem if I admit that I care much, much more about my missing playlists than I do that news article I think I first encountered within two months of me signing up for Apple Music?

Yeah, I'm probably part of the problem. Oops.
posted by malapropist at 10:15 AM on August 26, 2016

Everything We Know About NSO Group

NSO has close partnerships with a variety of other Israeli surveillance firms as they seek to spread their spy kit across the world. These include Ability Inc, a troubled supplier of an as-yet unproven technology called the Unlimited Interception System (ULIN)...

According to one source, Francisco Partners, which has bases in San Francisco and London, recently brought another Israeli spy team under its wing: Circles. The company, though it’s now based between Cyprus and Bulgaria, was founded by former IDF commander Tal Dilian. Circles does similar work to Ability, hacking SS7 for government contracts, though it’s another secretive company...

Another Israeli company that (unjustifiably) made headlines of late for hacking iPhones, Cellebrite, has also been in communication with NSO, though they operate at different levels of police investigations... NSO also employs ex-staffers from a variety of other notable Israeli intelligence vendors, including Nice Systems and Elbit (the latter last year purchased the former’s cyber division for $158 million).
posted by a lungful of dragon at 11:16 AM on August 26, 2016

seL4

Yes, sorry the "fantasy land" point was supposed to refer to OS in Haskell on L4.

There's provable L4's. There are OSes in Haskell. But nobody has done the end-to-end legwork of making a totally, provably secure system end-to-end. Or if they have, it's academic work at this point.

But, seriously, once we get to the point where there are compiler viruses that shield themselves from detection, we start to delve into a world of recursive insanity. And it just starts to look more inevitable every day.
posted by delicious-luncheon at 11:28 AM on August 26, 2016

it's academic work at this point.

Or some very highly specialized embedded stuff. Not something a typical end user would see.
posted by delicious-luncheon at 11:48 AM on August 26, 2016

The trusting-trust compiler problem is also seeing progress. Here's some work on countering these attacks from 2009.
posted by indubitable at 12:24 PM on August 26, 2016 [2 favorites]

The iPhone 4 was discontinued just under three years ago. The final iOS version it supports (7.1.2) was released just over two years ago. Your concern is justified.

Uh.

The iphone 4 was released in 2010. iOS 7 was released in 2013, the iphone 4 was discontinued right then, so 3 years ago. It ran the current version of the software until sep 2014 when ios 8 was released..

So it was up to date for four years after it's release. Worst case scenario, you bought a 4 a month before the 5s was released in 2013(when the lineup was 5-4s-4). You were buying discounted several year old hardware(often free with contract), and still got an entire year of support.

How is that bad? I don't see how the concern is justified there. By the time there was a short support window it was competing with bottom of the barrel android phones that rarely even get one update. It was patched throughout that entire year and i believe 7 was even patched once or twice after the window had "closed" for security issues.

The 4s got five years of support at this point, and was last on sale when the 5s was current in 2013, until the mid 2014 iphone 6 release. It won't stop being current until next month, and hasn't been on sale for two years. That's two years of not even on the market support.

Who can even compete with that who is currently selling mass market devices?
posted by emptythought at 12:45 PM on August 26, 2016 [3 favorites]

For what it's worth, my iPhone 4 (not S) is currently on iOS 9.3.2 and it seems perfectly fine to me. Presumably I will be able to apply the patch tonight. Maybe it's a teeny bit laggy, but I just don't have much interest in upgrading from a phone I use to make calls, take some pics, check email, web surf and run Google Maps as a GPS ... to a different phone that uh ... also does that? I love tech and all but it seems wasteful to buy a new one until this one just stops working. Security aside that is.

I do have a newer iPad Air for home use and light gaming. At my age playing games on a tiny phone screen just seems kind of silly.
posted by freecellwizard at 1:36 PM on August 26, 2016 [1 favorite]

DoctorFedora: "Seriously, though, this is a pretty big deal overall and folks, ya NEEDS ta KEEP your OPERATING SYSTEMS up to date"

Unfortunately, the majority of Android system manufacturers don't agree with you. Especially Samsung.
posted by Samizdata at 1:40 PM on August 26, 2016 [1 favorite]

Unfortunately, the majority of Android system manufacturers don't agree with you. Especially Samsung.

One plus is that these events highlight how far behind most mobile devices are on security, and that there are worse offenders whose products don't get as much press.

Another plus is that Apple is notable enough that their response ultimately gets the media to shine sunlight on black hats like NSO Group that make money attacking human rights defenders, which makes it harder for them to do their dirty business in secret.
posted by a lungful of dragon at 1:50 PM on August 26, 2016 [1 favorite]

adamsc, I pretty much agree with everything you said there. I definitely prefer the freedom to tinker of Nexus phones, which I have used exclusively since I retired my iPhone 3GS, but I more or less accept that even with my best efforts I won't have the security available on a modern iPhone. Cyanogenmod is a consolation prize after Google and Samsung abandoned the Galaxy Nexus with 18 months left on my contract to pay for it. To make things easier, it even shipped with the bootloader unlocked.
posted by [expletive deleted] at 1:57 PM on August 26, 2016

I could make a ButtPhone 2000 out of Linux and Chinese parts

Pls email me your Kickstarter link thx
posted by RobotVoodooPower at 2:18 PM on August 26, 2016 [2 favorites]

Are there no computer crime laws under which to prosecute NSO Group?

Aaron Swartz's own government threw the book at him for accessing material he had a right to access, but actual black hats putting lives at risk get to pay their taxes and go about their business?!

I assume this is based on the usual approach of governments writing laws that make it legal for them to buy weapons that are illegal for people to buy, but hopefully Citizen Lab or others can finger who is using this shit so that lawsuits can be attempted if the perp is a government, and can expand to include NSO Group if it's not.

"I know! Instead of letting Apple fix this, let's keep innocent people everywhere completely vulnerable so that we can profiteer off oppressive regimes!" - yeah that's a real great service to humanity you're doing there NSO Group. DIAF.
posted by anonymisc at 2:22 PM on August 26, 2016

Just out of curiousity, what, if anything, is so special about the Trusting Trust hack that makes it different from more mundane attacks? Is it just the way that it's undetectable in theory? Because it seems like in practice all the existing Trusting Trust attacks actually are detectable in one way or another.

(well, okay, all the ones we know about...)
posted by You Can't Tip a Buick at 2:56 PM on August 26, 2016

I admittedly should have said mass-market when referring to getting software support beyond release date, yeah. On the other hand, every single computer security professional I've ever heard from or talked to regards Android handsets in much the same way that a firefighter regards a small apartment filled floor-to-ceiling with old newspapers. It's almost not even comparable.

Basically, this is a Plane Crash Story, which means that many people are likely to decide they're much safer driving despite the fact that no, they are not, and that in fact serious dangers of the alternative are so common as to not even be news (when's the last time a single-death auto accident made the news in your area?).
posted by DoctorFedora at 2:56 PM on August 26, 2016 [1 favorite]

Just to be clear: are you aware that I am Rory Marinich?

Take it to MetaTalk!!
posted by wenestvedt at 6:30 PM on August 26, 2016 [1 favorite]

Is this Metafilter's mission impossible latex mask removal equivalent? Does rory take off his next and reveal he's cortex or something?
posted by wildblueyonder at 6:33 PM on August 26, 2016 [2 favorites]

No, it's Rories all way down.
posted by sebastienbailard at 7:03 PM on August 26, 2016 [1 favorite]

I used to be sixcolors, if that helps.
posted by rorgy at 7:14 PM on August 26, 2016 [4 favorites]

farlukar: "> Dude, I don't know what smartphone industry you've been watching, but Apple is literally your only hope for getting meaningful software support for more than like 18 months after release date on a smartphone.

CyanogenMod isn't strictly part of the “industry”, but my 3 year old android unit is up-to-date with the latest Google security patches.
YMMV depending on model type and age, of course."

Of course, you have to be able to install Cyanogen (looks at the bootlooped Kindle Fire on the bookshelf). I am still waiting for the payback from the law making it legal to replace OSes on devices.
posted by Samizdata at 7:25 PM on August 26, 2016

And Cyanogen doesn't cover every Android handset.
posted by oddman at 8:18 PM on August 26, 2016 [1 favorite]