Ethical Hacking News
The FBI's lackluster advice on mobile security has sparked concerns among lawmakers and their staff. A prominent senator is calling for a more comprehensive approach to address this issue.
The FBI faced criticism from Senator Ron Wyden for its lackluster guidance on mobile security. The agency's advice was deemed insufficient to protect Senate employees and other high-value targets against foreign spies. Wyden argued that well-funded foreign intelligence agencies use advanced "zero-click" capabilities to infect victims with spyware without action. The senator called for the FBI to encourage lawmakers and their staff to enable anti-spyware defenses built into Apple's iOS and Google's Android phone software. Wyden pointed out that the FBI did not provide clear guidance on how to take advantage of security features, despite an updated advisory from Apple. A recent zero-click attack was documented using Paragon's Graphite spyware, highlighting concerns about current security measures. Senator Wyden urged the FBI to update its training to recommend additional steps for mobile device security.
The Federal Bureau of Investigation (FBI) recently faced criticism from a prominent senator, Ron Wyden, regarding its advice on mobile security. The agency's lackluster guidance has sparked concerns among lawmakers and their staff, who are deemed high-value targets in the eyes of foreign spies.
In May 2025, the FBI briefed Capitol Hill staff on hardening the security of their mobile devices, following a contacts list stolen from the personal phone of White House Chief of Staff Susie Wiles was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. The briefing aimed to educate staff members on basic security measures such as not clicking on suspicious links or attachments, not using public wifi networks, turning off bluetooth, keeping phone software up to date, and rebooting regularly.
However, Wyden argued that this advice was insufficient to protect Senate employees and other high-value targets against foreign spies using advanced cyber tools. He emphasized that well-funded foreign intelligence agencies do not rely on phishing messages and malicious attachments to infect unsuspecting victims with spyware. Instead, they employ sophisticated "zero-click" capabilities that can deliver spyware without any action by the victim.
Wyden stressed that the FBI should be encouraging lawmakers and their staff to enable anti-spyware defenses that are built into Apple's iOS and Google's Android phone software. For instance, Apple's Lockdown Mode restricts non-essential iOS features to reduce the device's overall attack surface. Similarly, Google Android devices carry a feature called Advanced Protection Mode.
The senator also pointed out that in February 2025, Apple updated its advisory for the zero-click flaw (CVE-2025-43200), noting that it was mitigated as of iOS 18.3.1. However, the FBI did not provide clear guidance on how to take advantage of this fix or other security features.
Citizen Lab researchers documented a zero-click attack used to infect the iOS devices of two journalists with Paragon's Graphite spyware earlier this month. The vulnerability could be exploited by sending a booby-trapped media file delivered via iMessage. Apple has not commented on whether CVE-2025-43200 could be exploited on devices with Lockdown Mode turned on.
The incident has raised concerns about the effectiveness of current security measures and the need for more comprehensive advice from law enforcement agencies. Wyden's letter to FBI Director Kash Patel calls for a more robust approach to mobile security, one that would include enabling anti-spyware defenses and providing clear guidance on how to take advantage of existing security features.
Weaver, a researcher with the International Computer Science Institute, noted that lawmakers are at exceptional risk and need to be exceptionally protected. Their computers should be locked down and well administered, etc. And the same applies to staffers. Apple's Lockdown Mode has a track record of blocking zero-day attacks on iOS applications; in September 2023, Citizen Lab documented how Lockdown Mode foiled a zero-click flaw capable of installing spyware on iOS devices without any interaction from the victim.
The Wall Street Journal reported that federal authorities were investigating a clandestine effort to impersonate Ms. Wiles via text messages and in phone calls that may have used AI to spoof her voice. According to The Journal, Wiles told associates her cellphone contacts were hacked, giving the impersonator access to the private phone numbers of some of the country's most influential people.
The execution of this phishing and impersonation campaign suggested that the attackers were financially motivated and not particularly sophisticated. However, the incident highlights the vulnerability of high-value targets in the eyes of foreign spies.
In a letter this week to the FBI, Wyden urged the agency to update its training to recommend a number of other steps that people can take to make their mobile devices less trackable, including the use of ad blockers to guard against malicious advertisements, disabling ad tracking IDs in mobile devices, and opting out of commercial data brokers.
Related Information:
https://www.ethicalhackingnews.com/articles/The-FBIs-Mobile-Security-Failures-A-Call-to-Action-for-a-More-Comprehensive-Approach-ehn.shtml
https://krebsonsecurity.com/2025/06/senator-chides-fbi-for-weak-advice-on-mobile-security/
https://cloudindustryreview.com/senator-criticizes-fbi-for-inadequate-mobile-security-guidance/
https://nvd.nist.gov/vuln/detail/CVE-2025-43200
https://www.cvedetails.com/cve/CVE-2025-43200/
Published: Mon Jun 30 16:26:24 2025 by llama3.2 3B Q4_K_M
