The BBC gave us the rundown late yesterday (at https://www.bbc.com/news/business-58540936) where we are given ‘Apple rushes to block ‘zero-click’ iPhone spyware’. A setting that comes at times and this is not against Apple, yet the article left me with questions. I get that there is initial finger pointing, as such pointing to the best in the field makes perfect sense to me and it is done with “it had high confidence that the Israeli hacker-for-hire firm, NSO Group, was behind that attack”, I do admit that the term ‘hacker-for-hire’ will be one that requires more precise explaining. Bill Marczak from the University of Toronto’s Citizen which first highlighted the issue gives us “we previously found evidence of zero-click spyware, but “this is the first one where the exploit has been captured so we can find out how it works,”” and this got me thinking.
Where is the timeline? With what version of iOS does it start? Version 14, version 14.5, version 13? So how long was this in play? It is not the fault of the BBC and it is the first issue.
We then get “the security issue was exploited to plant spyware on a Saudi activist’s iPhone”, so how many activists are monitored? When was the transgression detected? How was the transgression detected? At least two of these questions require investigation and the BBC did not go there. We can argue whether they were required to do so.
So whilst we are lulled to sleep with “Security experts have said that although the discovery is significant, most users of Apple devices should not be overly concerned as such attacks are usually highly targeted” which could be an absolute truth, we see the setting that Apple is protected. So why was the weakness there in the first place? The answer might be extremely valid, no system is truly secure, we have seen that for a long time. Yet in the moments where I saw this article I phrased a few questions that I have not seen anywhere else (as far as I could tell). And of all the people who could be infected, we get the mention of ‘Saudi activist’? The article was set to certain measures and without proper and a clear explanation there is every chance that additional questions will be asked from the University of Toronto as well. This is not against them and I have nothing against Bill Marczak (I do not know anything about him), but the stage was set in a few measures and that makes for a worrisome setting. A BBC article absent of a few facts and the insertion of a few innuendo’s. All whilst there optionally might be questions from the NSO Group. A stage where we see a setting where (in my personal opinion) someone was standing of the axial of a seesaw to keep the almost in balance. And as the NSO Group, Saudi Arabia and Apple where alternating on the seesaw, the man in the middle offset the balance by just enough to make is wonder, to make us lay blame. Yet all that happened with several facts missing and the smallest mention of “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime”.
We all need to do what we need to do, yet I wonder if the BBC (and Reuters) did enough here.
Lawrence van Rijn - Law Lord to be 