From Pegasus to Predator – The evolution of commercial spyware on iOS [video]

Original Article ↗ Hacker News Discussion ↗

Commercial spyware landscape and NSO/Pegasus

  • Pegasus/Predator are seen as important but not “state of the art” anymore; they are only the visible part of a much larger commercial network exploitation (CNE) industry.
  • Many vendors (often unknown publicly) sell exploit chains and “implant stacks” (rootkit-like persistent malware) to government agencies worldwide.
  • Commercial spyware is considered highly cost‑effective versus traditional human intelligence; even large cost increases may not meaningfully reduce its use.

Lockdown Mode on iOS

  • Strong advocacy for turning on Lockdown Mode for at-risk users to cut large areas of attack surface (JIT, complex media formats, link previews, rich messaging, WebGL/WebRTC, etc.).
  • It is reported to be actively maintained and expanded by Apple, with ongoing exploit notifications.
  • Downsides: breaks some mainstream apps (e.g., support chat), disables newer media formats (e.g., AVIF), and interferes with family-sharing workflows. Many argue ordinary users won’t accept the usability hit.

Defensive posture: iOS vs Android

  • iOS: very locked down, making kernel‑level forensics and live malware extraction on production devices “quite difficult.” Defensive tooling is viewed as still in a “stone age.”
  • Android: ongoing hardening with Rust, memory tagging, hardened allocators, pKVM, and eBPF, but drivers remain a major weak point. Fragmented OEM update practices are seen as a serious security liability versus Apple’s faster, longer update support.
  • Some think users should “assume compromise”; others argue that’s too simplistic and not actionable. Threat modeling and realistic attacker cost are emphasized.

Detection, forensics, and EDR limits

  • Traditional EDR, scanning, and behavioral detection (even using eBPF/XDP) are argued to be largely ineffective against kernel-level or ring‑0 implants that can tamper with telemetry.
  • Counter‑argument: eBPF/XDP can still help block or detect some malicious packets, but critics maintain it cannot reliably defend against a fully compromised kernel.

Societal and policy implications

  • Spyware is used against journalists, activists, and even heads of state; yet political and economic consequences for offenders have been minimal, which signals profitability.
  • Nearly every reasonably wealthy state is said to be a customer of spyware/CNE vendors, making strong international restrictions unlikely.
  • Some call for treating commercial spyware use as a terrorism-level offense, but others argue states depend on these tools and won’t meaningfully regulate them.

Backups, ransomware, and Time Machine

  • Time Machine is not regarded as reliable protection against ransomware in all setups; if the backup share is writable and reachable, ransomware can encrypt backups too.
  • In practice, off-device/versioned backups (e.g., remote NAS, cloud with history) can help, but are not a guarantee.

Apple privacy and telemetry concerns

  • Criticism of Apple’s online certificate checks and M1-era mechanisms as “built-in spyware” that can’t be fully disabled.
  • Others link to more measured technical critiques but still treat the behavior as problematic from a privacy standpoint.

Other topics

  • Audio issues in the conference video made it hard to follow; some shared cleaned-up audio.
  • Complaints about slide-reading presentation style and references to critiques of PowerPoint.
  • Web and app developers express frustration with testing on iOS (Safari-only engine, tooling limits) and with general search engine decline.
  • Note that disabling 2G on Android is easy on high-end devices but often hidden or removed on cheaper models, though it can be toggled via hidden service codes.