If I was a journalist covering any sort of geopolitical stuff I'd 100% have my phone reviewed by infosec experts regularly and change devices frequently. And ideally use separate phones for external work related contacts, day-to-day in-office work, and personal life.
Were I that journalist, the first thing I'd do would be to soil my drawers, because I'm not brave enough to operate with some of those kinds of potential adversaries.
But, a hypothetical braver me would then know (from my alternate universe life as a techie) that I can't trust any of my devices much, in any case, no matter how many experts review them or how many burners I cycle, and that I should use the devices accordingly.
You obviously know vastly more about security than I do, but I don't understand how a black box with DMA doesn't implicitly compromise the rest of the device, for people whose threat models might include state-level actors — and particularly their shadier bits.
EDIT: Is it just a matter of there being easier/cheaper vectors?
You should use, exclusively, modern iPhones or, if you have an expert to help set it up, a flagship Google Android phone. I'm sure there are lots of off-brand Android phones that have basebands with full DMA access and no meaningful IOMMU configuration.
The baseband may not have as much authority as some purport, but it's still a subsystem with it's own code and purpose -- and (like any other subsystem), a villain could theoretically use this to their advantage in all sorts of imaginable ways.
(tl;dr : DMA isn't needed to be evil. It's just nice.)
You've argued yourself back to the null hypothesis here. The original argument was that there was something special about the baseband peripheral that made smartphones a unique threat. No, there is not.
I imagine a sort of device where you have a private key stored on some chip that you plug into a handheld device. All the device does is take in bytes from a serial port and output the decrypted content out another serial port. Then you can make sure that your decrpyted contents only ever exist on a non-network connected computer. Or better yet, only view or manipulate the decrypted content from a laptop with read only storage (e.g. booting into linux from a dvd).
> Journalists are not paid enough to buy disposable iPhones frequently.
If I were Apple, I'd give journalists all the "disposable" iPhones they need to swap them frequently for free.
My only condition would be to periodically inspect them for hacking activity, or have them specially instrumented to detect it. It would be a good way to ferret out state-actor zero days (or increase the security of the platform by making state-actors horde exploits even more jealously).
Apple could do it practically for free too, if it was something like "Any accredited journalist can trade their iPhone for a refurb at any Apple store at any time. We'd appreciate, but not require, some information about the general areas of stories you cover and any threats you're suspicious might be focused on you."
Eeeeh... except, if a journalist was enrolled in this program then Apple would (almost certainly) know which journalists were getting new phones and various three-letters could pressure Apple into loading targeted software into phones for specific journalists.
Also, this comment isn't intended to touch the question of Apple's trustworthiness so please don't wave downvote over that, I am merely stating that such a system would _really_ motivate three-letters to put an immense amount of pressure into compromising such a system (whether they did so with or without Apple's co-operation can remain untouched).
If the program were set up as above, such that any accredited journalist could walk into any Apple Store at any time and do the thing, the logistical challenges in having custom, pre-compromized phones on-hand everywhere ("Why aren't we just grabbing those from normal inventory? Isn't that weird?"), or having to bake a "Glenn Greenwald" image onto the phone when he walked in, would probably be noticed.
EDIT: What's to stop Mr. Greenwald from sending a buddy from an old job to swap a new device on his behalf?
Because they'd need to be an accredited journalist, and the presenting of any kind of proof to that end would be enough for three-letter agencies to wiggle their way into a compromise of the system - including the fact that glenn may send his old buddy frank in to collect his phone, so better give either one of them one of the tainted ones.
I misread the original proposal a bit and had assumed it'd be a mail-in-service, but with even determination the three-letter folks could probably leave spiked devices in the stores glenn would be likely to walk into. This is more reasonable but I still have reservations.
Keep in mind Glenn knows this too, so presumably would be somewhat wary of his "local" Apple Stores, and could instead choose to randomly drop into stores when travelling to unexpected and unannounced places.
It's not like _any_ journalist would trust this service at an Apple Store in Saudi Arabia, and probably not the UAE, Oman, or Qatar either. (Or may other countries.)
Being "not a perfect and universal solution" doesn't make it worthless. Snowden isn't about to stroll into Apple Store Moscow to take advantage of a refurbed iPhone. I suspect things would be different if Omar Abdulaziz could have dropped into Apple Store Toronto and swapped his Pegasus-infected phone over...
If it was set up well the journalist could have the exact new phone in hand disconnected from any wires that might flash it before announcing he was a journalist. I don't think there is a way with current technology to discretely have people or computers setup to recognize Greenwald (let alone all his friends) in a good percentage of Apple stores before the transaction is completed. Even if it is possible to identify Greenwald and friends before the transaction that access is probably only available to the actual NSA, not ex NSA employees.
On the other hand - you've now identified the phones for remote exploit. Also identifying which journalists are significant enough to be beneficiaries of this program is probably hard.
Speaking of "accredited journalist" and Glenn Greenwald, how does Glenn Greenwald demonstrate his accreditation to the Apple Store employees? What sort of documentation would Greenwald be asked to present that demonstrates to these Apple store employees that writing for The Intercept entitles him to eligibility in this program?
As far as I can tell, "journalist accreditation" has no objective meaning and is determined on an organization-by-organization basis using subjective standards. Here is the list of criteria the UN uses: https://www.un.org/en/media/accreditation/request.shtml
At first glance, Greenwald would seem to qualify by that standard, provided whoever was judging him were reasonable (by my personal standards) in judging criteria such as whether The Intercept is a "recognized media organization." However I also notice that some of the criteria listed on the page seem very restrictive and could quite possibly disqualify a lot of investigative journalists (requiring six publications per year, when that investigative journalist may be working on serious stories that take more time than that...)
I could imagine The Intercept (and many other news organisations) sending the cub reporter to the local Apple Store with a box of 50 factory-wiped iPhones once a month.
I wonder if Jamal Khashoggi and Omar Abdulaziz would evaluate (or "have evaluated", in the case of Jamal) the risk of "TLA's who have the power to coerce Apple" vs "Saudi Security and Royal Family"?
You are right, in that this is adding an extra organisation you need to trust (although if you're carrying an iPhone you've already surrendered a significant amount of trust to Apple and their ability to resist TLAs).
A possible workaround might be to make the bar of "accredited journalists" super low (perhaps "anyone who's ever had a published byline in anything accepted as an original source by Wikipedia", and push it super publicly, so pretty much every journalist from cutting edge human rights activist/journalists down to the cub reporter on University newspapers is swapping their phone for refurbs every 3 months...
Now that you have dropped the barrier, what requirements are you setting for the device? What if its damaged? How damaged is too damaged? Should they accept damaged devices in exchange for other damaged devices?
> The Apple store becomes a failure point in this. A state actor could turn a low paid store worker to switch out phones of journalists coming in.
Not necessarily, the journalist could go to a random store and the process could be setup as an exception to a normal purchase flow, so the journalist only needs to identify themselves after the phone has been removed from stock (and any effort to swap it would be super suspicious).
If it’s a targeted attack, I’m sure the turned employee would know who they’re looking for. I don’t think it’d normally be a random, let’s get anyone kind of thing.
> If it’s a targeted attack, I’m sure the turned employee would know who they’re looking for. I don’t think it’d normally be a random, let’s get anyone kind of thing.
You missed a key point.
Having a turned employee is only helpful if the person you're targeting goes to that person, but the whole point of the process I outlined was to make it too difficult to predict or control which employee the targeted person would interact with, which makes turning employees impractical (since you'd have to turn so many to have a reasonable chance of success that you'd probably just reveal your attack instead).
If it was me I would just assume that my phone was compromised, that the mobile network is compromised, and that any wifi network I'm on is compromised.
Cheap semi-disposable laptop + trustworthy encryption (edit: Probably with OpenBSD as the OS) is the best you can do, and if I don't have encryption I trust for the task at hand a wired network.
It's unfortunate that wireless networks apparently uniformly have terrible encryption and poor security. There is no fundamental reason this needs to be the case.
Giving a journalist an OpenBSD laptop to replace their modern iPhone (or, I suppose, carefully-configured expert-vetted flagship Google Android phone) would be a really good way to get them owned up. For most users, laptops are much less secure than iOS devices. Most of the security engineering in OpenBSD protects users from other users, which is not a security barrier that matters to 90% of endpoint users. Most of the security engineering a modern smartphone protects a single user's applications from each other, which very much does matter.
IIRC most of these exploits require either physical access, or clicking a link in an email or text.
I'm not sure anyone will burn a no interaction zero day on a human rights journalist. I suspect that kind of thing is hoarded by the big boys for when life and limb are on the line.
The article mentions the no-interaction exploit used:
> The attacks utilized a cyber weapon called Karma. As Reuters reported in January, Karma allowed Raven operatives to remotely hack into iPhones by inputting a target’s phone number or associated email address into the attack software. Unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said. Apple declined to comment.
> I'm not sure anyone will burn a no interaction zero day on a human rights journalist.
There have been multiple reports of no interaction zero days used on journalists, including in the article above. Turns out, authoritarian governments really hate journalists who aren't sympathetic toward their regimes.
True, but if you're a journalist I can't imagine how you avoid clicking on links sent to you reliably. And if something 'important' comes your way you might just elevate yourself to the "big boy" level of exploits.
A "click a link in an email" exploit is probably not too expensive to burn on a journalist, and "click this link in this email" is absolutely one of the top 3 attack vectors for ordinary users.
A a security-conscious journalist paranoid enough to use burner phones hardly qualifies as an "ordinary user", even if they aren't traditionally technical.
I don't think 4G/LTE encryption is a win so much as running your comms over IP, with application-layer encryption, is a win --- and that's something you generally need a smartphone for.
For a lot of them they do like the challenge, it's what drives many agency analysts/operators, but for many it was the lure of money. Packages up to half a million depending on your former position/credentials, free housing and more were throw about like candy. Some of those leaving the agencies were former military or newly hired GS9's. You can see how the monetary lure would pull you out.
A bigger problem that has persisted is why are they leaving the domestic agencies? What needs to change for retention there?
Hey America, do you think you might find a bit of time to persecute these Americans that are being such obviously terrible actors?
Sure, the crime wasn't on US soil and so-and-so but... I feel like in the modern world it'd really help America's cred to actually try and take action against these terrible actors. The fact that these folks were former three-letter probably means there's some contract somewhere out there where they signed away all their rights forever.
(Also, I get that America is probably fine with this sort of hacking, given that it targeted "the evil" but why not just prosecute these folks for the image of it)
I don't like the way this is written. The US is a country of laws. They should only prosecute people for breaking the law. Part of breaking a law is being subject to its jurisdiction. If you want someone to be charged who you don't think should be able to advocate for changing the law to catch future transgressions, not prosecuting them anyways. Alternatively advocate for supporting foreign law enforcement agencies who do have jurisdiction (it seems to me the British should have a good claim here).
But it turns out that this is probably illegal under current US law, which specifies a jurisdiction not limited to US soil. A protected computer under the CFAA is defined to include the following (18 U.S.C. § 1030(e)(2))
> a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
Recall that US journalists were targeted. I strongly suspect that qualifies as "foreign communication of the United States".
If you read their earlier investigation, the employees aren't any more terrible than the average NSA rep, and the firm is mostly careful about making an Emarati operative actually perform the attacks on people from the US making prosecution difficult. The FBI was investigating as of January at least.
It's probably a lot more lucrative to work on such projects than may be working for the NSA while doing the exactly same things but aren't there laws that prevent ex-spies and hackers to work for foreign governments ?
When I was a kid I did dream of being a cyber-mercenary. Given that the US recognise cyberspace as being a battlespace, would being a hacker for another country count as being a mercenary. Would that make you a combatant?
