The Spy Who Hacked Me: Unveiling Egypt's 0-Day Shenanigans


Published on Sep 23, 2023   —   3 min read

Ah, the world of 0-day exploits—where hackers are the artists and code is their canvas. But what happens when this art is used for something more sinister, like commercial surveillance? Google's Threat Analysis Group (TAG) recently partnered with The Citizen Lab to uncover a 0-day exploit chain targeting iPhones in Egypt. Developed by Intellexa, a commercial surveillance vendor, this exploit chain was used to install the Predator spyware on devices. Apple has since patched these vulnerabilities, but the story doesn't end there.

The Art of MITM: Man-in-the-Middle

In the cybersecurity world, a Man-in-the-Middle (MITM) attack is like a game of telephone gone wrong. The attacker intercepts the communication between the target and the website they intend to visit. In this case, Intellexa used MITM to redirect users visiting any 'http' site to their own domain. The exploit chain then kicked into action, exploiting three vulnerabilities in iOS:

  1. CVE-2023-41993: Remote Code Execution (RCE) in Safari
  2. CVE-2023-41991: PAC Bypass
  3. CVE-2023-41992: Local Privilege Escalation (LPE) in the XNU Kernel

And voila! The Predator spyware was installed, all without the user having to lift a finger.

Android Isn't Safe Either

Ah, Android users. You might be smirking at your iPhone-using friends, thinking you dodged a digital bullet. Well, wipe that smirk off your face, because Intellexa didn't discriminate based on operating systems. That's right, Android was also in the crosshairs, and here's how it went down.

The Exploit Chain: A Brief Overview

Intellexa had a separate exploit chain designed specifically for Android devices. This chain targeted a vulnerability identified as CVE-2023-4762. Now, you might be wondering, "What's so special about this particular bug?" Well, it allowed for remote code execution, essentially giving the attacker the keys to your digital kingdom.

What's intriguing is that Intellexa used two different delivery methods for Android exploits. One was the same Man-in-the-Middle (MITM) technique used for the iPhone exploits. The other involved sending one-time links directly to the target. This dual approach not only demonstrates the vendor's adaptability but also raises concerns about how many other delivery methods they might have up their sleeves.

Patched but Not Forgotten

Good news: this vulnerability was patched on September 5th. But let's not break out the champagne just yet. The fact that it was exploited in the wild before being patched raises questions about the extent of Intellexa's capabilities and how long they had been using this exploit. It also serves as a wake-up call for Android users to be just as vigilant as their Apple counterparts.

HTTPS: The Unsung Hero

Chrome has been pushing for universal HTTPS adoption to mitigate MITM attacks. Their "HTTPS-First Mode" is a step in the right direction, but it's not a silver bullet. Users enrolled in the Advanced Protection Program have this setting enabled by default, but the rest of us should manually turn it on.

Conclusion: The Unseen Battlefield in Your Pocket

In the digital age, your smartphone is not just a communication device; it's a battleground where invisible wars are waged. The recent 0-day exploits discovered in Egypt are a chilling reminder that commercial surveillance vendors are the new mercenaries in this covert warfare. They're not just selling tools; they're selling the power to invade privacy, manipulate data, and compromise security.

But here's the silver lining: the cybersecurity community is fighting back. Collaborative efforts between organizations like Google's TAG and The Citizen Lab are shining a light on these shadowy practices. While we can't eliminate the threat entirely, we can take steps to mitigate it. Keep your devices updated, enable HTTPS-First Mode, and always be skeptical of 'http' sites.

In this ever-evolving game of cat and mouse, staying informed is your best defense. So, the next time you swipe unlock your phone, remember—you're not just sending a text or checking social media; you're stepping onto a battlefield. Choose your weapons wisely, and may the odds be ever in your favor.

So, the next time you're casually browsing the web, remember: Big Brother—or in this case, a commercial surveillance vendor—might just be watching. Stay safe, netizens!

Actionable Takeaways

  1. Update Your Devices: Always keep your operating systems up-to-date to protect against known vulnerabilities.
  2. Enable HTTPS-First Mode: This can be a simple yet effective way to reduce the risk of MITM attacks.
  3. Be Skeptical of 'http' Sites: If a site isn't using HTTPS, think twice before visiting.
Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.