Malware: The NSO Group and a Timeline

September 8, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_tNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

A flurry of NSO Group news appeared in my newsfeeds this morning. Citizen Labs issued an advisory. You can find that short item in “BLASTPASSNSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild.” Recorded Future, a cyber security company, published “Apple Discloses Zero-Days Linked.” Variants of these stories are percolating, including British tabloid newspapers like The Metro. One message comes through: Update your iPhones.

The information makes clear that a vulnerability “path” appears to be blocked. That’s good news. The firm which allegedly discovered the way into user mobile devices is the NSO Group. The important fact, at least for me, is that this organization opened its doors for business in 2010. The origin story, if one believes the information once can find using a free Web search engine, is that the company evolved from a mobile phone repair business. After repairing and tinkering, the founder set up a company to assist government agencies in obtaining information from mobile devices believed to be used by bad actors. Agree or disagree, the origin story is interesting.

What’s important for me is that the time between the company’s start up and the “good news” about addressing a vulnerability in certain devices has been a decade, maybe more. I don’t have an opinion about whether the time window could have been closed more quickly. What’s important to me is that the information is diffusing quickly. On one hand, that’s beneficial to those concerned about the security of their devices. On the other hand, that’s the starter’s gun for bad actors to deploy another hard-to-spot exploit.

I have several observation about this vulnerability:

  1. The challenge to those who create hardware and software is to realize that security issues are likely to exist. Those who discover these and exploit them, blindside the company. The developers have to reverse engineer the exploit and then figure out what their colleagues missed. Obviously this is a time consuming and difficult process. Perhaps 10 years is speedy or slow. I don’t know. But an error made many years ago can persist and affect millions of device owners.
  2. The bad actor acts and the company responsible for chasing down the flaw reacts. This is a cat-and-mouse game. As a result, the hardware and software developers are playing defense. The idea that a good defense is better than a good offense may not be accurate. Those initial errors are, by definition, unknown. The gap between the error and the exploit allows bad actors to do what they want. Playing defense allows the offense time to gear up something new. The “good guys” are behind the curve in this situation.
  3. The fact that the digital ecosystem is large means that the opportunity for mischief increases. In my lectures, I like to point out that technology yields benefits, but it also is an enabler of those who want to do mischief.

Net net: The steady increase in cyber crime and the boundary between systems and methods which are positive and negative becomes blurred. Have we entered a stage in technical development in which the blurred space between good and bad has become so large that one cannot tell what is right or wrong, correct or incorrect, appropriate or inappropriate? Are we living in a “ghost Web” or a “shadow land?”

Stephen E Arnold, September 8, 2023


Comments are closed.

  • Archives

  • Recent Posts

  • Meta