Possible US Government iPhone-Hacking Toolkit in foreign spy and criminal hands

https://www.wired.com/story/coruna-iphone-hacking-toolkit-us-government/

141•alwillis•3h ago

Comments

oxfeed65261•2h ago

mentalgear•2h ago

How could something as sensitive get out of an administration as competent as the current one? At least they have no access to lets say AI or autonomous weapons and the tools of mass surveillance ...

grosswait•34m ago

The constant injection of political view points on hn is becoming exhausting

happyopossum•2h ago

"Possible" stripped from the headline on HN. That word seems particularly important given that it's speculative:

"Clues suggest it was originally built for the US government."

tptacek•1h ago

The Google threat analysis report doesn't say anything about USG involvement; that it was found on compromised Ukrainian sites, has code written in "native English", but also signs of LLM authorship. The Google report says the kit they found can't compromise current iOS, which is a capability you'd assume USG would have --- though it's important remember that "USG" comprises dozens of different buyers each with different toolchains.

Maybe this was the Fisheries Department exploit toolkit.

iVerify, which spun out of Trail of Bits and presumably knows what they're talking about, says it bears "hallmarks" of being connected to USG CNE work. I believe it. But the USG is on net a buyer, not a producer, of CNE tooling. Whatever a given service agency or IC arm buys, dozens of other aligned countries are also buying.

(And, of course, the non-aligned countries have their own commercial supply chains).

bri3d•1h ago

I don't think the ancient nature of the exploit chain has much bearing on the origin. I think it points away from the actual 2025 campaigns being USG-attached, but I don't think anyone was suggesting that to start with - the Google report makes it pretty clear that they believe the same code was resold to several parties, either in parallel or sequentially, around this time frame.

I think the notion here is that either:

* There's a shared upstream origin or author between this toolkit and the Operation Triangulation toolkit ahead of the use in Operation Triangulation (ie - someone sold this chain to both the Operation Triangulation authors and a third party). I actually think that the uses of specifically structured code-names internally and the overall structure of the codebase described in the Google writeup make this theory less likely; building an exploit toolkit while using these practices to cosplay as a US-government affiliated engineer would be clever and fun, but it's not something we've really seen before.

* This toolkit originated from (whether it was leaked, compromised, or resold) the same actor who was responsible for Operation Triangulation.

tptacek•28m ago

Right, I agree with you; my thing is mostly just differentiating between CNE enablement packages the USG itself creates vs CNE enablement packages that are on offer to every USG-aligned country, of which there are a bunch.

Simulacra•1h ago

Good point, that was also struck by the comment that it's infected "tens of thousands" phones. That's a minuscule rounding error.

dang•1h ago

The title limit is 80 chars, if anyone wants to figure out a decent way to squeeze possibility back in there.

alwa•1h ago

“Possible US-Gov-made iPhone-hacking toolkit is now in foreign and criminal hands“ ?

dang•56m ago

We try to avoid abbreviations if possible. You spurred me to take another crack at it and I think it worked this time? Happy to edit again if not...

irishcoffee•58m ago

A US Govt iPhone-hacking suite is now possibly in criminal hands

15 chars to spare!

dang•57m ago

I think the "possibly" is supposed to mean "possibly produced by the US government"

irishcoffee•54m ago

Good point.

doctorpangloss•2h ago

the government doesn't have superpowerful code crackers though

it has a guy working at apple who introduces the subtle vulnerability he is instructed to do

tptacek•1h ago

I expect the evidence for this claim is axiomatic, which is to say that you think it sounds good.

lightedman•1h ago

No, anyone who remembers the Best Buy/FBI debacle knows that this statement is very well-grounded in reality. If you took your laptop to Best Buy for repairs, the FBI got a copy of your hard drive contents.

majorchord•58m ago

Source:

doctorpangloss•53m ago

haha yeah, thanks for the compliment

joshrw•50m ago

Hello, have you heard of the Snowden revelations? What OP was referring to are called bugdoors.

thesuitonym•1h ago

Those two are not mutually exclusive.

8cvor6j844qw_d6•59m ago

Yeah. TAO was intercepting Cisco routers in transit and installing implants.

The leap from supply chain interdiction to cooperative insiders isn't a big one.

everdrive•1h ago

No matter the risk, I must carry my smartphone everywhere and install every app. It would be unimaginable to have the urge to look something up, but then wait to do it later until I'm using a real computer. No negative outcome will EVER shake my deep, permanent need to carry a smartphone all the time and use it for as much as possible.

theearling•1h ago

Webapps exist for a reason, they don't get all the special permissions apps get when fully installed.

at the very least use a VPN / more secure phone like a pixel with graphene

You keep doing you though

thewebguyd•1h ago

Ironically, the exploits in this leaked kit all involved flaws in webkit, so you'd have been safer sticking to native apps assuming they didn't have any webviews in them to load the malicious site.

SpaceManNabs•54m ago

WebView is the worst experience I have on any smart phone or mobile app.

The fact that there is no option so that any webview by default opens in safari across all app in ios is horrible.

i am not surprised it is riddled with security holes.

thesuitonym•1h ago

A VPN won't help you if your device is compromised. A VPN won't help you if the server is compromised. A VPN won't help you if the VPN is compromised.

I really wish people would understand that VPNs are not magical, unbreakable security. VPNs are barely security at all, and commercial VPNs even less so.

theearling•53m ago

oh 100% agree here, I was just confused at the OP comments evangelism of installing and keeping his phone on his for those quick fix google searches

stock_toaster•35m ago

With this administration? Color me unsurprised.

auslegung•3m ago

> In total, Coruna takes advantage of 23 distinct vulnerabilities in iOS, a rare collection of hacking components that suggests it was created by a well-resourced, likely state-sponsored group of hackers.

People have been hacking iOS since before it was called iOS and they weren't necessarily "well-resourced, likely state-sponsored". See geohot

Don't Make Me Talk to Your Chatbot

MacBook Pro with new M5 Pro and M5 Max

Intel's make-or-break 18A process node debuts for data center with 288-core Xeon

GPT‑5.3 Instant

Claude's Cycles [pdf]

Textadept

Voxile: A ray-traced game made in its own engine and programming language

An Interactive Intro to CRDTs (2023)

The Xkcd thing, now interactive

When AI writes the software, who verifies it?

Don't become an engineering manager

Physics Girl: Super-Kamiokande – Imaging the sun by detecting neutrinos [video]

Launch HN: Cekura (YC F24) – Testing and monitoring for voice and chat AI agents

Possible US Government iPhone-Hacking Toolkit in foreign spy and criminal hands

TorchLean: Formalizing Neural Networks in Lean

I'm reluctant to verify my identity or age for any online services

Arm's Cortex X925: Reaching Desktop Performance

We've freed Cookie's Bustle from copyright hell

MacBook Air with M5

TV's TV (1987) & TV Games Encyclopedia (1988)

OpenAI CEO Sam Altman Defends Pentagon Work to Staff

Disable Your SSH access accidentally with scp

I'm losing the SEO battle for my own open source project

The Two Kinds of Error

GitHub Is Having Issues

Payment fees matter more than you think

Apple Studio Display and Studio Display XDR

Show HN: Open-Source Article 12 Logging Infrastructure for the EU AI Act

Show HN: Online OCR Free – Batch OCR UI for Tesseract, Gemini and OpenRouter

Meta’s AI smart glasses and data privacy concerns

Don't Make Me Talk to Your Chatbot

MacBook Pro with new M5 Pro and M5 Max

Intel's make-or-break 18A process node debuts for data center with 288-core Xeon

GPT‑5.3 Instant

Claude's Cycles [pdf]

Textadept

Voxile: A ray-traced game made in its own engine and programming language

An Interactive Intro to CRDTs (2023)

The Xkcd thing, now interactive

When AI writes the software, who verifies it?

Don't become an engineering manager

Physics Girl: Super-Kamiokande – Imaging the sun by detecting neutrinos [video]

Launch HN: Cekura (YC F24) – Testing and monitoring for voice and chat AI agents

Possible US Government iPhone-Hacking Toolkit in foreign spy and criminal hands

TorchLean: Formalizing Neural Networks in Lean

I'm reluctant to verify my identity or age for any online services

Arm's Cortex X925: Reaching Desktop Performance

We've freed Cookie's Bustle from copyright hell

MacBook Air with M5

TV's TV (1987) & TV Games Encyclopedia (1988)

OpenAI CEO Sam Altman Defends Pentagon Work to Staff

Disable Your SSH access accidentally with scp

I'm losing the SEO battle for my own open source project

The Two Kinds of Error

GitHub Is Having Issues

Payment fees matter more than you think

Apple Studio Display and Studio Display XDR

Show HN: Open-Source Article 12 Logging Infrastructure for the EU AI Act

Show HN: Online OCR Free – Batch OCR UI for Tesseract, Gemini and OpenRouter

Meta’s AI smart glasses and data privacy concerns

Possible US Government iPhone-Hacking Toolkit in foreign spy and criminal hands

Comments