Home iOS The surveillance-as-a-service industry needs to be brought to heel

The surveillance-as-a-service industry needs to be brought to heel


Here we go again: another example of government surveillance involving smartphones from Apple and Google has emerged, and it shows how sophisticated government-backed attacks can become and why there’s justification for keeping mobile platforms utterly locked down.

What has happened?

I don’t intend to focus too much on the news, but in brief it is as follows:

  • Google’s Threat Analysis Group has published information revealing the hack.
  • Italian surveillance firm RCS Labs created the attack.
  • The attack has been used in Italy and Kazakhstan, and possibly elsewhere.
  • Some generations of the attack are wielded with help from ISPs.
  • On iOS, attackers abused Apple’s enterprise certification tools that enable in-house app deployment.
  • Around nine different attacks were used.

The attack works like this: The target is sent a unique link that aims to trick them into downloading and installing a malicious app. In some cases, the spooks worked with an ISP to disable data connectivity to trick targets into downloading the app to recover that connection.

The zero-day exploits used in these attacks have been fixed by Apple. It had previously warned that bad actors have been abusing its systems that let businesses distribute apps in-house. The revelations tie in with recent news from Lookout Labs of enterprise-grade Android spyware called Hermit.

What’s at risk?

The problem here is that surveillance technologies such as these have been commercialized. It means capabilities that historically have only been available to governments are also being used by private contractors. And that represents a risk, as highly confidential tools may be revealed, exploited, reverse-engineered and abused.

As Google said: “Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. This makes the Internet less safe and threatens the trust on which users depend.”

Copyright © 2022 IDG Communications, Inc.