←back to thread

ICE obtains access to Israeli-made spyware that hack phones and encrypted apps

(www.theguardian.com)
192 points pera | 4 comments | 02 Sep 25 18:12 UTC | HN request time: 0.414s | source
Show context
jMyles ◴[02 Sep 25 18:32 UTC] No.45107160[source]
Important story for sure, but this reporting is subpar IMO.

> When it is successfully deployed against a target, the hacking software – called Graphite – can hack into any phone. By essentially taking control of the mobile phone, the user – in this case, Ice – can not only track an individual’s whereabouts, read their messages, look at their photographs, but it can also open and read information held on encrypted applications, like WhatsApp or Signal. Spyware like Graphite can also be used as a listening device, through the manipulation of the phone’s recorder.

"When it is successfully deployed against a target" is obviously doing incredible lifting here - how is it deployed, and how does The Guardian know whatever details it knows (and isn't sharing)? Is there a background whistleblower between the lines here, or is this just paraphrasing the Wired reporting from last year?

> John Scott-Railton, a senior research at the Citizen Lab at the University of Toronto, who is one of the world’s leading experts on cases in which spyware like Graphite has been abused by governments, said in a statement that such tools “were designed for dictatorships, not democracies built on liberty and protection of individual rights”.

Kind of an odd take shoved into the middle of the article. Presumably this "Senior Research" [sic] had much more to say and this was the quote that The Guardian used. Regardless of for whom these exploits were "designed", obviously we know that power corrupts, and that this corrupting power can push liberal states into more totalitarian states (the article even cites Italy as an example of this).

> The US government has in the past resisted using spyware technology made outside the US because of concerns that any company that sells technology to multiple government agencies around the world represents a potential security risk.

Again, unsourced and unexplained. What does "resisted" mean - is this describing the Biden executive order? Or prior executive procurement policies? Or laws? Clarity is very important here and is not forthcoming.

> “As long as the same mercenary spyware tech is going to multiple governments, there is a baked-in counterintelligence risk. Since all of them now know what secret surveillance tech the US is using, and would have special insights on how to detect it and track what the US is doing with it,” Scott-Railton said. “Short of Paragon cancelling all foreign contracts, I’m not sure how this goes away.”

...again, I want to give this guy the benefit of the doubt. This reads like it was a long interview and The Guardian probably cherry-picked parts of it.

But how this goes away is: we learn how the exploit works and develop countermeasures.

The indication (well, insinuation really) is that the exploit takes control of the OS of the phone, not that it amounts to any new cryptographic vulnerability. So, how does that happen?

The discussion on the front page of HN yesterday on the thread, "We should have the ability to run any code we want on hardware we own" was refreshing and felt like the first real consensus we've had around here on this topic in several months. Specifically, it seems like we all now agree that our mobile devices have reached a combination of complexity and (state-assisted) corporate control that they are no longer safe for everyday use.

And it's important to point out (and I'll bet that Scott-Railton did, in parts of the interview that weren't used for the article), it's not only (perhaps not even primarily) a matter of personal safety from our devices, but an inevitable degradation of societal power structures into surveillance states that necessarily arises from this concentration of power.

I do not believe that there is an avenue for addressing this via institutional influence - the cited examples of Saudi Arabia, Italy, and the United States, despite having dramatically different configurations of state authority (and, probably in most people's minds, levels of legitimacy as states in the first place), all present identical attack surfaces in the face of "Graphite" and similar exploits.

The ongoing imperative is the construction and maintenance of an internet which does not recognize state authority and on which censorship and surveillance cannot be conducted via state fiat.

replies(2): >>45107606 #>>45108391 #
1. seadan83 ◴[02 Sep 25 19:05 UTC] No.45107606[source]
Gotta say, you sound hypercritical.

> "When it is successfully deployed against a target" is obviously doing incredible lifting here - how is it deployed, and how does The Guardian know whatever details it knows (and isn't sharing)?

This is not a research paper where the guardian needs to go into those details. Those details are known based on previous incidents/issues and general knowledge.[1]

> Kind of an odd take shoved into the middle of the article. Presumably this "Senior Research" [sic] had much more to say and this was the quote that The Guardian used. Regardless of for whom these exploits were "designed", obviously we know that power corrupts, and that this corrupting power can push liberal states into more totalitarian states (the article even cites Italy as an example of this).

Guardian articles are pretty short. They're not going to quote someone when all they are trying to get is that these are risky tools that invite abuse. So they interviewed an expert who could give a quote to that effect. Why is that shovelled in? This is very much "WHY" someone should care. It's a core tenant of journalism, don't just present what - but also some analysis for what it means.

> Again, unsourced and unexplained. What does "resisted" mean - is this describing the Biden executive order? Or prior executive procurement policies? Or laws? Clarity is very important here and is not forthcoming.

Yeah, are they going to link to 30 different articles and so forth? Here you go, a quick reference: [2]

> ...again, I want to give this guy the benefit of the doubt. This reads like it was a long interview and The Guardian probably cherry-picked parts of it.

Why does any of the quote sound cherry-picked? The context seems clear: other governments use this tool, if USG does too, then other governments know the capabilities. It's an intrinsic problem. Seems to be completely conveyed via the quotes, and that was presumably the reason to interview this additional person.

> The indication (well, insinuation really) is that the exploit takes control of the OS of the phone, not that it amounts to any new cryptographic vulnerability. So, how does that happen?

How this happens is WAY out of scope of the article. This is a general news article that is around 300 or so words. It's not a security bulletin or a tech focused article. Why do you expect these details? Can you give any other examples from say the LaTimes, BBC.co.uk, or any other similar news services?

> And it's important to point out (and I'll bet that Scott-Railton did, in parts of the interview that weren't used for the article), it's not only (perhaps not even primarily) a matter of personal safety from our devices, but an inevitable degradation of societal power structures into surveillance states that necessarily arises from this concentration of power.

This does seem implied. The quote "were designed for dictatorships, not democracies built on liberty and protection of individual rights" is really saying this, no? Like, it's saying exactly, this technology is a concern because it can be abused and is a tool for authoritarian countries and not democracies.

> The ongoing imperative is the construction and maintenance of an internet which does not recognize state authority and on which censorship and surveillance cannot be conducted via state fiat.

I agree with your premise here. In this case, the article that the USG is adopting these tools should be well alarming to you.

[1] https://citizenlab.ca/2025/06/first-forensic-confirmation-of...

[2] https://www.federalregister.gov/documents/2023/03/30/2023-06...

replies(2): >>45108622 #>>45109403 #
2. bawolff ◴[02 Sep 25 20:32 UTC] No.45108622[source]
Well you're certainly correct, as a tech person i'm nonetheless always disapointed by mainstream media reporting on these things as the "how" and "what" bit is by far more interesting to me than anything in the article.

The actual article is pretty old news and uninteresting - yes US police have used spyware for "surveilence". This is not new by any means. Similarly a number of Israeli private companies have made a name for themselves selling spyware software on, lets say the grey market. This is well known by now.

The only interesting thing to know would be how this particular piece of software works.

3. zapataband2 ◴[02 Sep 25 21:37 UTC] No.45109403[source]
Yeah I thought it was widely known that "deploy" could be as simple as sending a text message. The recipient did not even need to open in in the case of Pegasus.
replies(1): >>45110282 #
4. jMyles ◴[02 Sep 25 23:07 UTC] No.45110282[source]
So you're presuming that there is an exploit that allows a remote attacker to install "Graphite" via a text message? That is not stated here - or anywhere - as it was over and over again in the case of Pegasus (and similarly, the trumpets sounded when the patch was fixed a couple weeks later).

The reporting here is markedly more imprecise, and it's frustrating.