Skip to content(if available)orjump to list(if available)

ICE obtains access to Israeli-made spyware that hack phones and encrypted apps

ICE obtains access to Israeli-made spyware that hack phones and encrypted apps

69 comments

·September 2, 2025
Visit

bawolff

In some ways i think the most interesting aspect is that US federal government has to outsource its spyware.

Is it just that the NSA is unwilling (legally prevented?) to share their toys? Its hard to imagine they don't have capabilities like this.

tptacek

(1) Everybody outsources "spyware".

(2) NSA does not in fact have to outsource spyware (they may do it for convenience/situational logistics).

(3) US federal law enforcement and intelligence agencies all have multiple vendors for this stuff.

vFunct

NSA isn't allowed to spy on US citizens. NSA is a US military organization under Department of Defense, and Posse Comitatus act makes it unlawful for the US military to act as a police force in the US.

One of the few good things revealed by Edward Snowdens leaks was the fact that the NSA has filters for intercepted communications to filter out comms from US citizens. This was in top-secret programs that had no reason to be publicly known, and yet the NSA still had these filters installed anyways, because everyone in the NSA understands that they're not a law-enforcement agency, because of Posse Comitatus.

dragonwriter

> Posse Comitatus act makes it unlawful for the US military to act as a police force in the US.

Strictly speaking, that's not correct. The Posse Comitatus Act just changes the status of using the military as a police force from “allowed because any person or group can be deputized as a police at any time”, to “the US military can be used as a police force only under the laws specifically allowing and governing the US military as a police force.”

(Of course, the Posse Comitatus Act is a criminal law, which means in practice the primary mechanism for enforcing it is for the executive branch to arrest and prosecute offenders. This works tolerably well to prevent, say, a rogue sheriff calling up his buddy who happens to command an infantry company to come help out, but not particularly well to dissuade the President from directing the military for policing as a matter of Administration policy.)

In principal the courts can constrain the government based on it, as well, but it is noteworthy that the determination that the deployment was illegal in the case filed by the State of California almost immediately when courts were open after the initial LA deployment was announced on June 7 and before troops arrived on June 10 was just released, on September 2, nearly 3 months later. And is on hold for 10 days to give the government time to appeal. So, one might consider the courts to not be a meaningful constraint, here.

ThinkBeat

They just feed it to GCHQ, no law against that.

If one of the Five Eyes are somehow forbidden to analyse something They just send it to one of the others where it is legal.

ronsor

> Posse Comitatus act makes it unlawful for the US military to act as a police force in the US

No, we're allowing that now for some reason.

null

[deleted]

anthem2025

Because SCOTUS is openly corrupt, partisan, and ideologically driven?

bawolff

> Posse Comitatus act makes it unlawful for the US military to act as a police force in the US.

Sure, but i dont think (ianal) that it prevents technology transfer.

mattnewton

Who says that isn’t happening?

BoardsOfCanada

So what would you say about the PRISM and Upstream programs where metadata about millions of Americans was collected? Doesn't it seem as if they could target any US citizen by just pretending to target any foreigner they communicate with?

https://www.aclu.org/news/national-security/five-things-to-k...

x0x0

I suspect the nsa doesn't want to burn their 0 days on this.

itqwertz

I suspect Israel does whatever they want under the auspices of national security, gives “private” cybersecurity corporations latitude to circumvent international laws, then packages it all up to sell to the highest bidder.

bawolff

It seems pretty unlikely that selling a zero-day to a state actor is a violation of international law, unless the vendor knows that state actor intends to use it to commit an internationally wrongful act.

Like at the very worst - selling "cyberweapons" would follow the same rules as selling actual weapons.

I don't super follow US politics, but i don't think we are at the point where ICE is comitting crimes against humanity - which i think is what would be required for this transaction to violate international law.

tptacek

As usual, I want to point out how silly these analyses are, because there is a whole ecosystem of companies (incl. several directly connected to major US defense contractors, and many more across the NATO countries) that provide exploit development and maintenance and implant technology. The only reason you hear about companies like Paragon is because they're comfortable being named; the ones you haven't heard about are more capable and more plugged in.

Every time a story on HN comes up about how bug bounties are underpaid and how much exploits are worth, I recite the bit about how serious grey-market vendors can run up the score on a serious vulnerability by (1) selling the same vulnerability to every IC/LEO agency in allied countries and (2) selling maintenance contracts to convert those agencies into recurring revenue. These are the companies I'm talking about when I say that. I'm never thinking of Paragon.

Of course ICE has exploit and implant tech.

jsheard

> [Paragon] has said that [...] it only does business with democracies. It has also said it has a no tolerance policy and will cut off government clients who use the spyware to target members of civil society, like journalists.

> Paragon also refuses to disclose who its clients are and has said it does not have insight into how its clients use the technology against targets.

Well colour me convinced!

reflexe

<removed by me>

ktallett

The latter suggests it has no ability to know the former.

jsheard

Yeah, that's what I was getting at.

0cf8612b2e1e

The nature of the exploits is surely secret, but I wonder if Lockdown Mode is at all effective at blocking these attacks.

null

[deleted]

OutOfHere

There are three main categories of entry into a device via zero-days: WhatsApp/Signal, SMS/MMS, and Firefox/Chrome/Safari. If these can be isolated, entering a device could become harder.

null

[deleted]

mandeepj

I wonder if those apps can be operated from a secure vault or conclave

Edit:

Something like this, but for phones

https://learn.microsoft.com/en-us/windows/security/applicati...

exceptione

https://grapheneos.org/features

(Microsoft and security are distinct concepts, btw.)

OutOfHere

I already have two secure conclaves in my phone, and they're already used up for other apps, e.g. finance apps, etc. One of them uses Work Profile and the other uses Knox. I don't think that more such regions are allowed on non-rooted Android.

As for iOS, to my knowledge it doesn't allow for any such app segregation.

In general, we need stronger per-app isolation such that a zero-day affecting one app doesn't grant any access to anything else.

mandeepj

Seems like you have an android! I wrote my parent comment in context of an iPhone. Sorry for not clarifying earlier

upofadown

SMS is inherently plain text. I think a user would have to click on a link for an attack to work.

PieTime

They have developed zero click exploits before

OutOfHere

Link previews would do the trick, and let me confirm that the Google Messages app for SMS does show link previews with no way to disable them.

"Expressive animations" are yet another vector because their rendering can be exploited.

As for MMS, it is a known prominent risk.

t123278713247

Ehud Barak was on Paragon's board of directors. Barak also invested with Epstein in Carbyne:

https://www.jns.org/jns/benjamin-netanyahu/23/6/2/292333/

Other data collection/surveillance software from the Epstein circle include PROMIS (Robert Maxwell allegedly sold a backdoored version), Chiliad (FBI search software, Christine Maxwell, seems legit) and CargoMetrics (Ghislaine Maxwell's husband, maritime container tracking).

jMyles

Important story for sure, but this reporting is subpar IMO.

> When it is successfully deployed against a target, the hacking software – called Graphite – can hack into any phone. By essentially taking control of the mobile phone, the user – in this case, Ice – can not only track an individual’s whereabouts, read their messages, look at their photographs, but it can also open and read information held on encrypted applications, like WhatsApp or Signal. Spyware like Graphite can also be used as a listening device, through the manipulation of the phone’s recorder.

"When it is successfully deployed against a target" is obviously doing incredible lifting here - how is it deployed, and how does The Guardian know whatever details it knows (and isn't sharing)? Is there a background whistleblower between the lines here, or is this just paraphrasing the Wired reporting from last year?

> John Scott-Railton, a senior research at the Citizen Lab at the University of Toronto, who is one of the world’s leading experts on cases in which spyware like Graphite has been abused by governments, said in a statement that such tools “were designed for dictatorships, not democracies built on liberty and protection of individual rights”.

Kind of an odd take shoved into the middle of the article. Presumably this "Senior Research" [sic] had much more to say and this was the quote that The Guardian used. Regardless of for whom these exploits were "designed", obviously we know that power corrupts, and that this corrupting power can push liberal states into more totalitarian states (the article even cites Italy as an example of this).

> The US government has in the past resisted using spyware technology made outside the US because of concerns that any company that sells technology to multiple government agencies around the world represents a potential security risk.

Again, unsourced and unexplained. What does "resisted" mean - is this describing the Biden executive order? Or prior executive procurement policies? Or laws? Clarity is very important here and is not forthcoming.

> “As long as the same mercenary spyware tech is going to multiple governments, there is a baked-in counterintelligence risk. Since all of them now know what secret surveillance tech the US is using, and would have special insights on how to detect it and track what the US is doing with it,” Scott-Railton said. “Short of Paragon cancelling all foreign contracts, I’m not sure how this goes away.”

...again, I want to give this guy the benefit of the doubt. This reads like it was a long interview and The Guardian probably cherry-picked parts of it.

But how this goes away is: we learn how the exploit works and develop countermeasures.

The indication (well, insinuation really) is that the exploit takes control of the OS of the phone, not that it amounts to any new cryptographic vulnerability. So, how does that happen?

The discussion on the front page of HN yesterday on the thread, "We should have the ability to run any code we want on hardware we own" was refreshing and felt like the first real consensus we've had around here on this topic in several months. Specifically, it seems like we all now agree that our mobile devices have reached a combination of complexity and (state-assisted) corporate control that they are no longer safe for everyday use.

And it's important to point out (and I'll bet that Scott-Railton did, in parts of the interview that weren't used for the article), it's not only (perhaps not even primarily) a matter of personal safety from our devices, but an inevitable degradation of societal power structures into surveillance states that necessarily arises from this concentration of power.

I do not believe that there is an avenue for addressing this via institutional influence - the cited examples of Saudi Arabia, Italy, and the United States, despite having dramatically different configurations of state authority (and, probably in most people's minds, levels of legitimacy as states in the first place), all present identical attack surfaces in the face of "Graphite" and similar exploits.

The ongoing imperative is the construction and maintenance of an internet which does not recognize state authority and on which censorship and surveillance cannot be conducted via state fiat.

tripletpeaks

I don’t suppose anything a bit less-serious is available to normies?

I have a iphone that died on vacation and was set to backup only on WiFi (I’ve since changed that setting, haha, whoops) and has a couple days of photos stuck on it that weren’t backed up. It boots and makes noise but the screen is dead. Uncertainty about how broken it is has kept me from paying the not-cheap cost to get a screen replacement, and I haven’t found a way to read its data over a cable without unlocking via the screen first (which doesn’t work, and its touch-sensing capacity also seems to be dead, so blind input doesn’t do it, or else I could probably unlock it with a couple tries and get it to connect to WiFi it already knows and do its backup, but it won’t do that without being unlocked)

seadan83

Gotta say, you sound hypercritical.

> "When it is successfully deployed against a target" is obviously doing incredible lifting here - how is it deployed, and how does The Guardian know whatever details it knows (and isn't sharing)?

This is not a research paper where the guardian needs to go into those details. Those details are known based on previous incidents/issues and general knowledge.[1]

> Kind of an odd take shoved into the middle of the article. Presumably this "Senior Research" [sic] had much more to say and this was the quote that The Guardian used. Regardless of for whom these exploits were "designed", obviously we know that power corrupts, and that this corrupting power can push liberal states into more totalitarian states (the article even cites Italy as an example of this).

Guardian articles are pretty short. They're not going to quote someone when all they are trying to get is that these are risky tools that invite abuse. So they interviewed an expert who could give a quote to that effect. Why is that shovelled in? This is very much "WHY" someone should care. It's a core tenant of journalism, don't just present what - but also some analysis for what it means.

> Again, unsourced and unexplained. What does "resisted" mean - is this describing the Biden executive order? Or prior executive procurement policies? Or laws? Clarity is very important here and is not forthcoming.

Yeah, are they going to link to 30 different articles and so forth? Here you go, a quick reference: [2]

> ...again, I want to give this guy the benefit of the doubt. This reads like it was a long interview and The Guardian probably cherry-picked parts of it.

Why does any of the quote sound cherry-picked? The context seems clear: other governments use this tool, if USG does too, then other governments know the capabilities. It's an intrinsic problem. Seems to be completely conveyed via the quotes, and that was presumably the reason to interview this additional person.

> The indication (well, insinuation really) is that the exploit takes control of the OS of the phone, not that it amounts to any new cryptographic vulnerability. So, how does that happen?

How this happens is WAY out of scope of the article. This is a general news article that is around 300 or so words. It's not a security bulletin or a tech focused article. Why do you expect these details? Can you give any other examples from say the LaTimes, BBC.co.uk, or any other similar news services?

> And it's important to point out (and I'll bet that Scott-Railton did, in parts of the interview that weren't used for the article), it's not only (perhaps not even primarily) a matter of personal safety from our devices, but an inevitable degradation of societal power structures into surveillance states that necessarily arises from this concentration of power.

This does seem implied. The quote "were designed for dictatorships, not democracies built on liberty and protection of individual rights" is really saying this, no? Like, it's saying exactly, this technology is a concern because it can be abused and is a tool for authoritarian countries and not democracies.

> The ongoing imperative is the construction and maintenance of an internet which does not recognize state authority and on which censorship and surveillance cannot be conducted via state fiat.

I agree with your premise here. In this case, the article that the USG is adopting these tools should be well alarming to you.

[1] https://citizenlab.ca/2025/06/first-forensic-confirmation-of...

[2] https://www.federalregister.gov/documents/2023/03/30/2023-06...

bawolff

Well you're certainly correct, as a tech person i'm nonetheless always disapointed by mainstream media reporting on these things as the "how" and "what" bit is by far more interesting to me than anything in the article.

The actual article is pretty old news and uninteresting - yes US police have used spyware for "surveilence". This is not new by any means. Similarly a number of Israeli private companies have made a name for themselves selling spyware software on, lets say the grey market. This is well known by now.

The only interesting thing to know would be how this particular piece of software works.

zapataband2

Yeah I thought it was widely known that "deploy" could be as simple as sending a text message. The recipient did not even need to open in in the case of Pegasus.

jMyles

So you're presuming that there is an exploit that allows a remote attacker to install "Graphite" via a text message? That is not stated here - or anywhere - as it was over and over again in the case of Pegasus (and similarly, the trumpets sounded when the patch was fixed a couple weeks later).

The reporting here is markedly more imprecise, and it's frustrating.

kittikitti

The amount of companies actively using Israeli spyware like BrightData and Imperva is outstanding. All their data goes through their networks. I don't trust any government led site because they are all incredibly incompetent and corrupt. The United States is on their last legs.

ktallett

I feel the key change we as civilians need is to move to a non-local stored detail. Where our devices are access points to decentralised mesh networked apps. These companies and governments have been proven time and time again to not obey appropriate measures for invalid reasoning.

popalchemist

All other things being equal, local storage is always going to be preferable to cloud storage, because the surface of attack is intrinsically limited by the need for having the physical device in hand.

mandeepj

I don’t think what you are proposing is going to work!!

> Where our devices are access points

Then that would be your exposure

krunck

"[Paragon] has said that ... it only does business with democracies."

That's rich coming from a company in a country that is committing genocide and has run an apartheid regime for decades.

pbiggar

Hardly a democracy when it occupies Palestine, and Palestinians can't vote in Israeli elections.

bawolff

Allowing the population of an occupied territory to vote in elections of the occupying power is illegal under international law.

Generally speaking, in theory, the occupying power is supposed to be a care taker - they aren't supposed to take any action that integrates the occupied territory into the main territory. Allowing occupied territories to vote in the occupying power's elections is considered a form of integration. Doing so is considered acquiring territory via annexation, which is illegal under the UN charter.

(See for example Israel when the international community yelled at them for allowing people in Golan Heights to vote).

kelthuzad

While your point about international law is technically correct, it is also a masterclass in deliberate evasion. You are not engaging with OP's argument, but you're using a legal footnote to sidestep the clear and openly stated intent of the system he's condemning. Leading human rights organizations like Amnesty International and Human Rights Watch have a precise legal term for this system, which is built on that very intent: apartheid. [1][2] "Israel is not, cannot be democratic based on Jewish superiority - No honest Israeli citizen can claim that the Palestinian citizens of Israel live as equal citizens in the State of Israel." [3]

This isn't a secret. Israeli officials have long been explicit that their policies are guided by the goal of maintaining demographic control. As Netanyahu declared, "Israel is not a state of all its citizens... but rather the nation-state of the Jewish people and only them." This driving intent is what gives rise to the entire apparatus of control. It is legally enshrined in constitutional law through the 2018 Nation-State Law, which reserves the right of self-determination for Jews alone. This legal supremacy is then enforced through a two-tiered justice system in the West Bank, where Israeli settlers are governed by rights-respecting civil law while their Palestinian neighbors are subjected to draconian military orders. This judicial separation, in turn, enables the physical re-engineering of the land: a state policy of systematic land dispossession confiscates Palestinian property for settlements, while a discriminatory planning regime makes it nearly impossible for Palestinians to build, leading to routine home demolitions. The ultimate result is the deliberate fragmentation of Palestinian life into disconnected enclaves, which B'Tselem calls 'territorial islands' carved up by walls, checkpoints, and permit regimes designed to sever social and political ties.

Your narrow focus on the procedural illegality of a vote under occupation law is a calculated deflection from this reality. The disenfranchisement of Palestinians is not an incidental legal problem, it is a fundamental and necessary pillar for maintaining this regime of apartheid. You are meticulously explaining the legality of the lock on the cage, while deliberately ignoring that the crime is the cage itself.

[1] https://www.hrw.org/report/2021/04/27/threshold-crossed/isra...

[2] https://www.amnesty.org/en/latest/campaigns/2022/02/israels-...

[3] https://www.jpost.com/opinion/article-734439

ktallett

It's odd this has been downvoted. There isn't anything factually incorrect. All statements have been proven.

SirFatty

Because it has nothing to do with the story, perhaps?

Fnoord

Every Israeli is drafted when reaching adolescence age. Intelligent tech people end up in Unit 8200 (part of IDF). These young people end up with a plethora of experience, using it for their career or even security related startups, yet loyalty often lies with state of Israel.

The legal presence / country of a company very likely performing a genocide is very much relevant and ontopic. Look up the dark history of companies like IBM and IG Farben and the term "Wir haben es nicht gewußt".

anthem2025

It speaks to the credibility of the people involved when they claim to protect journalists.

ktallett

I would say it is relevant as it shows that the company are potentially being dishonest about their intentions and marketing.

CLPadvocate

Actually, nothing of this has ever been proven - it was claimed and repeated thousands of times - but nothing of this is considered a proof in the real world.

hdgvhicv

If you ignore any statement other than form the Israeli government then sure

> The world's leading association of genocide scholars has declared that Israel is committing genocide in Gaza.

> A resolution passed by the International Association of Genocide Scholars (IAGS) states that Israel's conduct meets the legal definition as laid out in the UN convention on genocide.

> Across a three-page resolution, the IAGS presents a litany of actions undertaken by Israel throughout the 22-month-long war that it recognises as constituting genocide, war crimes and crimes against humanity.

And then there’s

> B'Tselem and Physicians for Human Rights-Israel released separate reports on Monday based on studies of the past 21 months of conflict. The organisations, which have been active in Israel for decades, said in a joint statement that "in these dark times it is especially important to call things by their name", while "calling on this crime to stop immediately".

What level of proof would you find acceptable?

ktallett

I would say at this point given government statements and declarations and then actions that occur directly after prove they have broken international law

fwip

https://www.ohchr.org/en/press-releases/2024/11/un-special-c...

I'm curious what your angle here will be - that these events never happened, that these events don't constitute genocide, or that this isn't "proof."

dttze

[flagged]

fortran77

It's nice when people, countries, and organizations can collaborate to make the world safer.