[ad_1]
It has been reported that the major hacking of iPhones last week was also targeting Android smartphones and Windows computers.
In its announcement, Google hinted at nation-state participation, but a separate report that the Windows and Android devices were also on the target list offered a new twist to the story.
If this is correct, the inclusion of Windows and Android should not be surprising – it makes sense to target specific groups of people via a small group of websites in order to target as many computer devices as possible in order to do not miss anyone.
Of course, none of this can currently be verified. For the moment, these are just anonymous sources that speak to a few journalists and offer information that may never be confirmed.
In fact, the fact that this is taken seriously is partly because the companies involved – Google, Microsoft, Apple – do not seem willing to deny it.
Deeper meaning
However, another way to understand this story is to point out that the who and Why is less important than the How.
The original Google report mentions that involuntary victims have also been caught in the attacks, implying that everyone could be a victim of a future campaign.
Victims would have been infected with spyware by persuading them to open a malicious link – a generic but effective tactic.
The infected domains would have been indexed by Google Search (quite normal if the domain is not known to be malicious), which prompted the FBI to ask the company to remove them from the list.
The first problem concerns collateral and infected victims.
The campaign was discovered in early 2019 and the iPhone vulnerabilities involved have since been corrected and Apple's patch deployment process is well-established. However, if Android or Windows devices were involved, the patch timeline becomes less certain because updates can be optional and slow to appear.
Defects for sale
The risk is that when groups of nation-states discover loopholes that are worth exploiting and do not report, professional cyber criminals have the opportunity to discover them as well (or, if they can not, steal them).
Added to this is the problem of software publishers writing spyware to make a living selling their tools to intelligence agencies, countries and, controversially, commercial organizations. Sometimes it may seem that both types of attacks – targeted national malware and commercial spyware – merge into one area.
There is no indication that commercial spyware was connected to the latest iPhone campaign, but the growth in the industry may have increased the price of zero-day vulnerabilities.
Companies such as Google, Apple, and Microsoft are running bug pay programs, partly to compete with the illicit market for vulnerabilities, and Apple recently raised its major bug payout to $ 1 million.
This market may be contained but not easily stopped. When hackers can rely on a plentiful and flawed toolbox, we all have something to lose, no matter who is behind the attack.
[ad_2]
Source link