Key IOCs for Pegasus and Predator Spyware Removed with iOS 26 Update

135 pointsposted 13 hours ago
by transpute
(iverify.io)

82 Comments

sevg

10 hours ago

The article doesn’t define “IOC”, so if (like me) you didn’t know the abbreviation: Indicators Of Compromise.

(They actually do use the expanded form in the article, just without some parentheses afterwards on the first usage of the phrase.)

Maybe everyone but me knows the abbreviation, but in case it helps _someone_ out there!

dry_soup

8 hours ago

Thank you. The only IOC I know of is the International Olympic Committee.

bnastic

7 hours ago

Or if you work in trading, IOC made it a very confusing title

CaptainOfCoit

5 hours ago

I'm a programmer, designer and architect, so my mind immediately went to "Inversion of Control"

misnome

2 hours ago

Or Input/Output Controller (scientific facility control layer tech)

KernalSanders

6 hours ago

Thank you for this!

Abbreviations and acronyms are highly inefficient if not defined clearly and up front. It also creates a division between those who know and those who don't.

I absolutely detested seeing "ISO" suddenly everywhere on Facebook and Nextdoor in place of "in search of". If you didn't know that before, you know it now, but you may also be annoyed by it not being about the international organization for standardization, which also goes by ISO, but not for any reason people would magically guess, without a background in Greek. (ISO explains that, since the acronym would differ in every language, ISO is actually derived from isos, which means "equal". Happy coincidence that it almost matches the name of the organization, but could also become obscure with time and lost history.)

For our company, I've been very clear that we don't make up acronyms unless a layperson could reasonably guess what it stands for, and also not confuse it for something else.

CaptainOfCoit

4 hours ago

> It also creates a division between those who know and those who don't.

Yeah, it's called "expertise" and it isn't as bad as you seem to think. Blogs for security professionals will use jargon and technical words aimed at other security professionals, and that's OK, not everything on the web is for everyone.

Just like how in my game development blog I don't explain what a "loop" is because I'm assuming the audience knows basic programming already, otherwise every article would be balloon out of scope easily.

akerl_

3 hours ago

A quick skim of https://iverify.io/blog makes it seem pretty clear that iVerify’s audience is people who are interested in security, not just existing industry experts.

CaptainOfCoit

3 hours ago

But then skim the submission article and try to evaluate which audience it seems written for.

Considering they have stuff like "Located within the Sysdiagnoses in the Unified Logs section (specifically, Sysdiagnose Folder -> system_logs.logarchive -> Extra -> shutdown.log)" in the article, my guess is that they're aiming for people who at least have a basic understanding of security, not general users, as those wouldn't understand an iota of that.

eviks

an hour ago

Considering there is actualy not an iota of technically security challenging stuff (specifically, any computer user can understand your quote that there is a log file located at some path, there is 0 security understanding required there), using your own logic we can deduce the general audience was the target

CaptainOfCoit

an hour ago

The typical/general computer user wouldn't even understand the ">" character, I think you either don't grasp the wide range of people who sit in front of computers daily, or you over-estimate their ability of grasping computer concepts, because you'd say that sentence to the typical computer user and most of them wouldn't understand most of it.

eviks

34 minutes ago

That's fine, you don't need to understand the > character, it clearly says there is some log file located at some folder.

> because you'd say that sentence to the typical computer user and most of them wouldn't understand most of it.

Yeah, do try that, just not your cut version focusing on the irrelevance of a specific path and the meaning of >, but the whole paragraph. Do see how many people fail to understand that there was some file at some folder. You could even ask extra SAT questions "what do you thing a "shutdown log" is, does it record activities during device shutdown?")

akerl_

2 hours ago

This argument seems neatly circular.

Any example where somebody says an article doesn’t do a great job defining its terms just becomes proof that the authors only wanted readers who already understand the terms.

pcthrowaway

2 hours ago

I think it's fine for the magazine, but I would have liked to see it expanded in the HN submission title, since many of us are not cybersecurity specialists.

CaptainOfCoit

2 hours ago

Some stuff is written for some people, other stuff is written for other people. This shouldn't be hard to understand, nor particularly novel either.

eviks

an hour ago

Good that you added quotation marks, because otherwise it is as bad as he thinks - the typical bad technical communication, wasting the whole first page saying ~nothing with some AI slop image to boot, but not thinking about adding 5 symbols, yes, of course, out of the imaginary fear that the article would "balloon out of scope".

riehwvfbk

2 hours ago

TLAs are not basic knowledge, or expert knowledge. They are expertise theater.

integralid

4 hours ago

I assume this blog post is targeted for the security community, where IoC is universally understood. Of course it is confusing on HN, but authors are free to assume their audience - like we don't define what HTTP, MVC and "btw" mean every time we use it. Or, for a better example, HN and YC are used here all the time, but would be confusing for outsiders (and should be defined outside of HN context).

benzible

9 hours ago

If we didn't already know this, Apple's previous positioning as the privacy company was just branding with zero actual conviction behind it. Now, just as ICE contracts with Paragon for zero-click spyware that bypasses encrypted apps, Apple erases the key forensic artifact for detecting state-sponsored mobile surveillance. Along with Cook's cash-and-gold-for-tariff-exemptions scheme, they're racing to the bottom with the rest of big tech.

vlovich123

4 hours ago

> Apple's previous positioning as the privacy company was just branding with zero actual conviction behind it

As someone who actually worked there a decade ago, that doesn’t reflect the attitudes and positions of people I worked with then. And many people generally tend to stay working at Apple for long periods of time.

I can’t speak if that’s changed or other things happening, but this could easily be just a late-introduced bug as it wasn’t present in earlier betas as someone noticed - my expectation would be such a change would be present quite early. I would be very very surprised something this insignificant was a late introduced change at the request of the government - Apple historically just doesn’t act that way (see the San Bernardino row over unlocking the iPhone for the FBI).

benzible

25 minutes ago

I'm sure the people you worked with still care about privacy, but these decisions get made at the top regardless of what rank-and-file employees think. Apple employees donated nearly 20:1 for Harris over Trump, so we can safely assume they weren't supportive of Tim Cook presenting him with gaudy personal gifts or allowing Stephen Miller to curate the App Store. I suspect Cook personally loathes Trump, in contrast to other CEOs like Zuck, and now Benioff, who are clearly all in. He may even sincerely care about privacy himself, however he's shown zero backbone.

Aurornis

12 minutes ago

> Apple employees donated nearly 20:1 for Harris over Trump, so we can safely assume they weren't supportive of Tim Cook presenting him with gaudy personal gifts

Every company works with whoever gets elected. This isn’t new. It isn’t indicative of political support. It’s just how business is done.

neilv

8 hours ago

Can we assume that Apple will continue to fail to secure the iPhone against these spyware companies?

Gigachad

7 hours ago

Memory integrity enforcement added to the iPhone 17 range is probably going to be huge for preventing future exploits. At risk people should probably also enable lockdown mode.

Hilift

3 hours ago

"fail to secure"?

Do you really think that with all of the years of iPhone device and account takeovers, from a text message requiring no reading or interaction, Apple with their maximum controlled walled garden aren't facilitating? Apple spent billions moving factories because the US government told them to. They are the keymaker.

Apple could do a lot of things, such as preventing the black market for stolen phones from existing. A single city, London, had 80,000 phones stolen in 2024.

"...Onwurah argued that "robust technical measures" such as blocking stolen phones taken overseas from accessing cloud services could make devices "far less valuable".

"She also pointed to comments by Mobile UK, the trade association of the UK's mobile network operators, who said blocking IMEI in other countries was a "necessary step to dismantle the business model of organised crime".

"However, she said when giving evidence, Apple, Google and Samsung had avoided saying why they would not implement the technology." <--**

https://www.bbc.com/news/articles/cx2y037pg41o

gruez

3 hours ago

>Apple could do a lot of things, such as preventing the black market for stolen phones from existing. A single city, London, had 80,000 phones stolen in 2024.

Doesn't iCloud lock basically already makes a stolen iPhone unusable? What more do you want?

dylan604

31 minutes ago

To be able to lock a phone without having access to the iCloud account. If I have devices on my account that was provided to someone to use with their own iCloud account but they refuse to turn them over to me, there is no way I can shut that account down. I can report the IMEI as stolen, but they are free to continue using it as a wifi only device. If they attempt to move the device to a new provider, they are supposed to say no since the IMEI is reported stolen. Not sure how well the lower tier providers pay attention to that though.

TL;DR if the device is stolen from you by a stranger, this is possible. If the device is stolen from you by someone you permitted to use the device, this is not possible

gruez

17 minutes ago

>TL;DR if the device is stolen from you by a stranger, this is possible. If the device is stolen from you by someone you permitted to use the device, this is not possible

I suspect these kinds of thefts are a small fraction of the "80,000 phones stolen in 2024" that OP was talking about. Moreover the only plausible case I can think of this happening is for corporate devices, which can be MDN enrolled and locked to a particular organization.

dylan604

8 minutes ago

Small business (<5 people) that doesn't have an IT staff. Even a civil case is too expensive to do anything about it.

hopelite

41 minutes ago

I’m not sure of the whole dynamic of the stolen phone black market, but if iPhones are still stolen, it seems iCloud lock does not sufficiently deter the practice.

gruez

13 minutes ago

Right, because they're broken down for parts, but there's only so much you can do. For one, every time Apple tries to do something to lock down parts, right to repair people decry it as some sort of trojan horse to shut down third party repairs. Moreover even with parts serialization, there's only so much you can do. There's no inherent way for a bag of electrolytes to identify itself to a phone. The best you can do is add a chip to it and identify using that, but you can't prevent that chip from being transferred.

hulitu

2 hours ago

> Can we assume that Apple will continue to fail to secure the iPhone against these spyware companies?

Fail is an overstatement. Apple is part of PRISM and the functionality is working as intended. When a hole becomes public, it is quickly patched.

saagarjha

6 hours ago

I guess at scale every minor fix is a spacebar heater for someone else. I assume Apple is probably going to bring this back to pacify the iVerify people but long term they are going to keep making these changes and mercenary spyware is going to learn how to hide itself better. I really think it’s time to start thinking about strategies that go beyond forensic artifacts…

isodev

3 hours ago

> I assume Apple is probably going to bring this back to pacify

Pegasus and Predator were VERY widely publicised exploits in iOS, I find it shortsighted for Apple not to have control over how these get identified in the first place.

It's also frustrating that the entire "your iPhone is safe and private" assumption is a black box and we only have Fruitcorp's assurances that they're doing the right thing. So imagine, people finding all kinds of bugs on iOS26 ... how is one to believe these bugs and glitches don't extend into security features as well?

saagarjha

3 hours ago

Obviously they do, hence the market for exploits. I'm not sure what you are suggesting they do differently, though.

isodev

2 hours ago

The opposite of what the blogpost informs us they did? Provide more tools and systems to discover and diagnose vulnerabilities, make components open source/open audit, etc. There is non perfect system, but a closed imperfect system is worst.

saagarjha

an hour ago

I agree but the blog post is completely orthogonal to that

darkamaul

8 hours ago

I’d assume that erasing the shutdown log is also a security measure from Apple, attackers could use it to better understand crash conditions or device behavior.

That said, if we take Apple’s stance on privacy seriously, users should also have deep inspection capabilities on their own devices. After all, they’re supposed to own them.

charcircuit

6 hours ago

>After all, they’re supposed to own them.

Just because you own a device, that doesn't mean the manufacturer is obligated to add features you want.

user2722

6 hours ago

I think he/she was being ironic. You either own it or Apple owns it.

Since there is no sideload and the criptographic keys belong to Apple, then the device belongs effectively to Apple and you just rent it for a fixed fee.

You can't both own it and not own it depending on the situation, thus exposing Apple's hypocrisy as a well-intended parentified gatekeeper just protecting the users/childified adult users.

brookst

35 minutes ago

> I think he/she was being ironic. You either own it or Apple owns it.

That’s really reductive thinking. I guess the idea is to blur all the different connotations of “own” into one thing and assert they are all the same?

I “own” a car, but am not allowed to drive it in some situations (if I’m drunk, on the wrong side of the freeway, …). Does that mean the state actually owns it?

Disregarding context in favor of reductive binaries is the #1 sign of zealotry. You see it everywhere: either a movie is original or it’s not, so Avatar is / isn’t (pick one) because it follows familiar tropes / innovated in visual arts (pick one).

The world is actually contextual. The moment you throw that out, no meaningful statement can be made.

charcircuit

6 hours ago

Goods for the mass consumer all work like this. The manufacturer creates a product and consumers by it if those features provide them value. If a device doesn't have a feature such as online diagnostics they are free to buy a different product instead. If people really want to add their own features they are free to modify the device. It's more economical to just buy another device which is why you don't see people replacing the parts needed to develop your own software on an iPhone. Easy user modification of the OS is not a feature of iPhone and if added could hurt the quality of the product.

Another way to think of this is imagine if Apple burned the OS into a ROM chip. That doesn't make them the owner of the device because the user can't write to the ROM chip. By that logic no one would own the device because no one can update it, but that can't really be true.

kace91

5 hours ago

I think a difference is that apple has the means to change the behavior of the device after the fact in ways that the person that purchased the product doesn’t.

This is unique to modern technology, and the fact that they sell you the house keeping sole ownership of the keys to certain rooms is indeed worth examining I think.

cbarrick

an hour ago

> If people really want to add their own features they are free to modify the device.

Except that they are not actually given that freedom.

The entire notion of free software is that users should be free to modify the software stacks of their devices.

Very few consumer devices are free in that sense. You can't run a custom OS on an iPhone.

brookst

32 minutes ago

Free software is a value prop, not a law. And it is counter to the value prop that one entity is entirely responsible for all of the software (even if Apple doesn’t write every line of code, they are responsible for every bit that ships).

Not everyone cares about the bits. It’s true that the vast majority of consumers prefer having a single supplier to having freedom to run their own bits.

sim7c00

7 hours ago

what privs u need to read shutdown log vs what privs u need to see running programs?

apple always trying to hide things and lock people more out of how the device works. they use privacy as an excuse and even sue and jail ppl who try to look at things properly.

frontfor

6 hours ago

When did Apple “sue and jail ppl” for “try to look at things properly”? I’m pretty sure Apple isn’t legally allowed to jail people.

notmyjob

37 minutes ago

I’ve been told repeatedly by high ranking members of the apple support forum to never look at logs. Only schizos and idiots look at the logs they said. Even experienced apple developers don’t look at the logs I was told. This makes me question everything about apple support, especially the “geniuses” that work at the Apple Store.

transpute

7 hours ago

This change was not present in iOS26 betas, hopefully Apple will fix soon, https://www.youtube.com/watch?v=PHijS6jLPxI&t=304s

> If you care about your iOS device security.. reboot every day.. writes a list of running processes to this shutdown.log file.. If you have processes that shouldn't be running, they will get written to this shutdown.log file.. allows you to go back in time and check for IOCs.

nl

8 hours ago

It seems like the author's don't believe this was a deliberate attempt by Apple to hide Spyware:

> Consider holding off on updating to iOS 26 until Apple addresses this issue, ideally by releasing a bug fix that prevents the overwriting of the shutdown.log on boot.

darkoob12

9 hours ago

I always suspected someone inside Apple is making sure that these phones stay vulnerable for Israeli hackers or they don't really fix their bugs.

notepad0x90

9 hours ago

it's possible,but iphones are apple's flagship product. it would be disastrous for them. i don't think any government contract is worth the cost. They're not google or Microsoft, they're not that big in the enterprise side of things.

I'm sure if such a relationship became public,most Americans will forget about it in few weeks time and half will be surprised what the big deal is. But apple will lose out on Asia and Europe where it has solid competition. Their hardware is their bread-and-butter.

It is more plausible for the US government to have planted or extorted an asset working as a developer at apple than apple itself making such a monumentally foolish decision.

Google and Microsoft on the other hand, that I am fairly certain of.

But... i digress a bit, only because Tim Cook was kissing the proverbial king's ring a lot lately. donations are one thing, giving gold gifts in person and on national tv is another.

sschueller

9 hours ago

Tim Cook gifted trump a gold base with a glass plate on it like some peasant to a king in front of camers. Apple will bend over backwards to please governments so don't be surprised when it turns out not everything is as secure as claimed in their walled garden.

nl

8 hours ago

I'm not a particular fan of Apple but the gold thing seemed like a good, cheap way to get on Trump's good side, which led to them somehow magically avoiding tariffs.

I don't think I'd read more into it than that.

jlarocco

an hour ago

Yeah, that's always how bribery works.

From Wikipedia: "Bribery is the corrupt solicitation, payment, or acceptance of a private favor (a bribe) in exchange for official action."

brookst

30 minutes ago

Yes, everyone knows. It was transparently a bribe.

But let’s not motte bailey that into proof that Apple intentionally ships backdoors.

pprotas

7 hours ago

Yes, that is exactly the problem. No need to read more into it.

zimpenfish

6 hours ago

> the gold thing seemed like a good, cheap way to get on Trump's good side

Which, whilst morally repugnant, does make business sense - if Apple got hit by tariffs or other penalties, you can be sure the Carl Icahn style leeches would be popping out of the woodwork complaining that Tim Cook was ruining Apple / the share price / etc. and trying to orchestrate shareholder and/or board revolts.

(And Good Lord, imagine the threads on here if Apple's value dropped just because Tim Cook didn't give a hideous piece of tat to Trump.)

demarq

6 hours ago

It wouldn’t be a disaster, Apple already donates to the IDF. They literally have IDF among their staff.

How is none of this public knowledge

vlovich123

4 hours ago

Active serving IDF are also employed by Apple? I know there’s a lot of ex-IDF people in Silicon Valley but since the IDF is mandatory all it means is ex-Israeli people. They could still be secretly working for the Mossad but that’s generally something you can claim true of all foreign nationals - they’re also possibly just normal people with talent and experience.

demarq

4 hours ago

I’d like to clarify with a couple of questions.

- Are you saying that you believe apple is picking someone who is a real wizz with css, but because of the country’s laws they had to serve with the IDF?

- Are you saying the formality of having to be a former of your previous employer, as part of taking on new employment is to be unexpected in any way?

vlovich123

3 hours ago

I really don’t understand the questions and they bely an ignorance of things or are intentionally provocative (and not coherent) but I’ll try.

Firstly, the exploits in play would not be introduced by a “css whiz kid” first of all. Creating holes for rootkits like Pegasus requires deep low level expertise.

Secondly, AFAIK all the teams that would be involved on working on that are located in Cupertino - so these people had to relocate to the US.

But yes, I think finding anyone who was a child in Israel and didn’t serve in the IDF is very difficult. This is doubly-so for the tech sector since the IDF is often where they obtain their initial technical education and are serving between 18 and 21.

Unless you’re blanket just going to disallow recruiting from Israel or hiring people who moved from Israel to the US and might even be US citizens. But then you’re also going to have to explain why you’re applying this policy to Israelis and not Koreans, Singaporeans, Taiwanese, Norwegians, who have similar mandatory service requirements (plenty of countries do).

I’m not saying that Mossad don’t try to get their own secret agents working long term undercover in these places. But that’s also true of other secret services of enemies and allies alike and I would think they’re less likely to generate exploits intentionally and more likely to gather information and look for exploits by having access to source, documentation, and able to get information from peers. But Israelis having previously worked in the IDF doesn’t really provide any signal to me on the motivations or beliefs of that person.

demarq

3 hours ago

> But Israelis having previously worked in the IDF doesn’t really provide any signal to me on the motivations or beliefs of that person

You know what, you’re absolutely right. But you’d be wrong if it turns out it’s not the general IDF we’re talking about, and specifically not one all Israelis have to serve. And that Google has all the good stuff.

But anyway I’m going to let you believe what you believe about a corporation that makes “donations” to a military, and I’m going to believe what I believe.

vlovich123

3 hours ago

Can you elaborate so I can educate myself? Speaking in innuendo isn’t helpful for a discussion like this.

LtdJorge

4 hours ago

Are you saying that Apple should ban hiring Israelis since all of them have to serve in the IDF?

op00to

3 hours ago

Can you try your questions again, but this time coherently?

wat10000

2 hours ago

The Israeli military takes corporate donations?

andrewflnr

9 hours ago

> It is more plausible for the US government to have planted or extorted an asset working as a developer at apple

This is indeed how I read the comment you replied to.

aucisson_masque

9 hours ago

> I'm sure if such a relationship became public,most Americans will forget about it in few weeks time and half will be surprised what the big deal is. But apple will lose out on Asia and Europe where it has solid competition. Their hardware is their bread-and-butter.

Everyone is somewhat aware that their phone are not impermeable to government agencies and it doesn't matter, that's the case for Americans of course because they are well used to it, but also for Europeans.

If they were to purposely make 'mistake' to allow Israeli spying companies to compromise their phone, it most likely wouldn't change anything.

whatevaa

5 hours ago

It wouldn't be disastrous. Most won't care. A lot of fanatic fans would buy an i-dildo if that was ever a thing and would say that it's the best thing ever.

userbinator

8 hours ago

I hope they're making them stay vulnerable for jailbreakers.

flyinglizard

8 hours ago

It's spectacular how, when Israelis are involved, entire R&D organizations can suddenly become sinister cabals that operate in complete secrecy across ranks.

/s

notepad0x90

9 hours ago

I just wanna say how ridiculous it is that forensics on iphones is done via backup archives. If apple at least included a full system memory dump along with the backup that'd be better. If only the allowed system-extensions like on macos that run in EL1+ for security monitoring.

axoltl

13 minutes ago

I do vulnerability research. Those things would do the exact opposite of what you're aiming for. They'd be received with glee by mercenary spyware companies, _especially_ being able to load things into higher levels of privilege.

CaptainOfCoit

5 hours ago

> If apple at least included a full system memory dump along with the backup that'd be better

Wouldn't that make it easier for people to find vulnerabilities and more importantly (for Apple)? Which would allow people to find vulnerabilities for rooting the phone, something Apple really seems hellbent on preventing.

hulitu

4 hours ago

> I just wanna say how ridiculous it is that forensics on iphones is done via backup archives.

Why would somedy want to disturb in memory exploits ? /s

t0lo

2 hours ago

Deliberate?

londons_explore

7 hours ago

This is dumb - now that this is known, attackers will make sure that they edit the shutdown.log file to be perfectly byte for byte identical to an uninfected device.

So the log has no value

zimpenfish

6 hours ago

They already did:

> Researchers have noted instances where devices known to be active had their shutdown.log cleared, alongside other IOCs for Pegasus infections. This led to the conclusion that a cleared shutdown.log could serve as a good heuristic for identifying suspicious devices.

Which is why the article is pointing out that a cleared `shutdown.log` is no longer an indicator of Pegasus infections (because it now happens every boot.)