Paragon: Yet Another Cyberweapons Arms Manufacturer

Forbes has the story:

Paragon’s product will also likely get spyware critics and surveillance experts alike rubbernecking: It claims to give police the power to remotely break into encrypted instant messaging communications, whether that’s WhatsApp, Signal, Facebook Messenger or Gmail, the industry sources said. One other spyware industry executive said it also promises to get longer-lasting access to a device, even when it’s rebooted.


Two industry sources said they believed Paragon was trying to set itself apart further by promising to get access to the instant messaging applications on a device, rather than taking complete control of everything on a phone. One of the sources said they understood that Paragon’s spyware exploits the protocols of end-to-end encrypted apps, meaning it would hack into messages via vulnerabilities in the core ways in which the software operates.

Read that last sentence again: Paragon uses unpatched zero-day exploits in the software to hack messaging apps.

Posted on August 3, 2021 at 6:44 AM9 Comments


Fed.up August 3, 2021 11:28 AM

The threat isn’t the private companies who are exploiting smart phones. The threat is that smart phones are designed to be exploited. This is a Big Tech “Do as I say, not as I do” moment. Big Tech believes they control the world’s data. This is just another aspect of their censorship. Perhaps if Israel was a Big Tech favored nation, they would be allowed to peek behind the curtain like other nations do.

Big Tech fails to accept that so long as they are abusing data, they cannot control who else does so. There are lots of companies that do so. Even household names.

Nokia is re-rereleasing a 2002 2G phone that won’t work with apps. Why? There’s demand for it.

Everyday there’s another article about the shortage of Cybersecurity professionals. That’s entirely hogwash. Various Cyber regulations and frameworks identify Cybersecurity stafff turnover as an indication of potential compromise or lack of cyber hygiene. Turnover reflects badly on employers, not employees. If a Cyber employee leaves a job it is because no one wants to tarnish their resume with a breached employer. That’s career ending. Although Cyber recruiters don’t understand this nor do they get how to assess Cyber candidates. Recruiters interview cyber candidates the same way they interview engineers and sales staff, by assessing their communication skills. Which is absurd. The best Cybersecurity professionals are neurotypical.

But back to data. The biggest reason why an employer cannot find Cyber employees is their online application process. When an employer uses a insecure or (cookie tracking) intrusive applicant tracking system (ATS), most qualified candidates will pass on applying. If an employer doesn’t respect an employee’s security during the application process, there’s no shot that a qualified Cybersecurity professional will be protected while working there. Some of the biggest companies in the world ATS systems scrapes candidates devices. But if you are doing that, then your competitors are too. Compromised employees are compromised employers.

Just like everyone knew that the subprime mortgages were a bad idea, no one was willing to admit that until the world’s economy crashed. So to be upset that Israeli intelligence companies figured out how to scrape data on phones is disingenuous and disregarding that Iran and everyone else does it too.

Too bad there’s no 2G networks left in the US. There’s 1000’s of companies that scrape app data including your alerts and passwords. India and Vermont realizes this and publishes a list with some of them. If you need to communicate something private do it face to face or send a handwritten letter or smoke signals. Any other form of communication is presently not private.

Leon Theremin August 3, 2021 12:19 PM

0-days are nothing when all CPUs have hardware implants by design. BadBIOS exists. Security and privacy do not.

Common, Schneier already said that the DoD knows what China is doing with the radio towers. The US military is either complicit or won’t exist for much longer – TikTok being unable to operate makes this obvious.

0day yeah right August 3, 2021 4:20 PM

“Paragon uses unpatched zero-day exploits in the software to hack messaging apps.”

Maybe Bruce begins to think a little bit and not to use meaningless buzzwords?

First level is vulnerability that nobody knows, only a few government attackers do. How manufacturer can patch it when he don’t even know about it? Where here is a zero day count?

Second level is when info about that vulnerability is public but there’s no patch. Information about that vulnerability can last from 1 day to even a year when they finally release patch. Again, where here is here zero day count?

Third level is, when patch is released. Information is public, you are aware of this, you patch it when you can. Maybe here that “zero day” finally applies – you patch it on the same day. Or is it already 1day, because by original definition (look at linked wiki) you must get patch before the official release to be qualified 0day.


“The term “zero-day” originally referred to the number of days since a new piece of software was released to the public, so “zero-day software” was obtained by hacking into a developer’s computer before release.”

In means of hacking 0day is a complete idiotic misnomer. Stop using those idiotic buzzwords. Yes, media likes them, they help to sell their click-bait “creation”.

Andy August 4, 2021 1:19 PM

Bruce, you can’t have it both ways. You rightly argued that FBI shouldn’t mandate insecure backdoors of “nobody but us” kind. Instead they should develop the know how of how to access the data. Don’t blame the “arms manfacturing” industry for finding holes and willing buyers.

R-Squared August 4, 2021 7:48 PM

>>> One of the sources said they understood that Paragon’s spyware exploits the protocols of end-to-end encrypted apps, meaning it would hack into messages via vulnerabilities in the core ways in which the software operates.

Read that last sentence again: Paragon uses unpatched zero-day exploits in the software to hack messaging apps.

That is NSA, with Five Eyes + Israel.
With inside help from CIA, Mossad, Interpol, Europol, Bundesnachrichtendienst, etc., they have largely bypassed FBI+DOJ and “gone loco” to railroad suspects on surveillance-intelligence-based charges through small town “local” jurisdictions where the government “knows us best” and the so-called “parallel construction” of evidence cannot be questioned as subornation of perjury, intimidation of witnesses or other obstruction of justice because the source of the surveillance intelligence — brought in court as unqualified “information” without the Fifth Amendment due process of presentment or indictment by a grand jury — is deemed “classified” at the small town “local” law enforcement level.

To wit: hxxps://

Clive Robinson August 6, 2021 3:22 PM

@ Bruce, ALL,

Read that last sentence again: Paragon uses unpatched zero-day exploits in the software to hack messaging apps.

So what?

I’ve been saying this would happen for years on this blog now.

Are people going to wake up to “the bleeding obvious” only when somebody exploits a glaring security fault and tries to con venture capitalists with it?

I’m sorry but the “Security Guru” and “self appointed comms security” alleged experts who have had their “love ins” with the likes of Signal, WhatsApp, Telegram and all those other supposadly “Secure Messaging Apps” they all claimed were secure but were actually nothing of the sort by basic design, realy need to apologise. They need to say “My Bad”, “I was wrong”, “Mea Culpa” and much much more besides.

As for the likes of Moxie Marlinspike and all those awards and other baubles, he’s been given “because of Signal” he should hand them back…

I’ve repeatedly said of all the faux/bogus secure messaging apps, that “the security end point is in the wrong place with respect to the communications end point” are people going to actually listen now?

Or just keep sleepwalking into security faults so obvious that they can be easily exploited by any moderatly thoughtful undergraduate level programmer who thinks such an attack would make a good “term project”.

But more importantly I’ve also said what needs to be done to defeate these rather sad silly little exploits that they are trying to spin up as the basis for billion dollar Unicorns, once and for all.

So who want’s to know how to permanently defeat such idiots who design the likes of WatsApp, Signal, etc and the other idiots that exploit such obviously glaring gaping great security failings the apps come built in with?

It’s not difficult and I must have said it a half dozen times or more alteast already on this blog…

ResearcherZero August 10, 2021 12:32 AM

In the Ohio pen register application, the government wrote explicitly that it only needs to provide three facts to get approval to use a pen register, none of which provide any background on the relevant investigation. They include: the identity of the attorney or the law enforcement officer making the application; the identity of the agency making the application; and a certification from the applicant that “the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by that agency.”


the Pen Register Act within the Electronic Communications Privacy Act of 1986

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.