Jump to content
6 posts in this topic

Recommended Posts

Investigation: Israeli Chips in the iPhone 17 – Intelligence Risks from the "Pager Effect" to Hardware Surveillance

 

 The Central Question

 

Are there components built into modern smartphones like the iPhone 17 that were not documented by the manufacturer and that enable surveillance or malicious functions usable by Israeli intelligence agencies? And if so: How plausible is a scenario analogous to the "Pager Effect" in the context of the global chip supply chain?

 

 1. Israel's Role in the Global Semiconductor Industry

 

 Apple and Israel: A Strategic Partnership

 

Apple operates three major R&D centers in Israel with over 2,500 employees and has invested over one billion dollars in Israeli acquisitions since 2011. These include, among others:

 

  • Anobit (2011): Flash memory technology
  • PrimeSense (2013): 3D sensor technology for FaceID
  • Camerai (2019): Computer vision & AI hardware

 

Of particular note is the (possibly former or still sporadically active) involvement of Johny Srouji, Apple's VP of Hardware Technology, in the development of Apple Silicon chips. Srouji was shaped in Israel and leads teams working on chip architecture at R&D centers in Haifa and Herzliya.

 

 Unit 8200: Israel's Elite Intelligence Unit

 

Unit 8200 is the elite unit of Israeli military intelligence, comparable to the NSA or GCHQ. According to reports, various tech companies, including Apple, recruit former Unit 8200 operatives for positions in cybersecurity, AI, and chip design.

 

Critical Reflection: When thousands of former intelligence personnel work in key positions in the US tech industry – particularly at companies operating in Israel and Silicon Valley – the question of possible "backdoor access" does not arise as a conspiracy theory, but as a legitimate risk analysis.

 

 2. Historical Context: Surveillance and Operations

 

 NSO Group and Pegasus: The Prototype

 

The Israeli company NSO Group developed the spyware "Pegasus," which uses zero-click exploits to compromise iPhones – without the victim having to do anything. The connections between NSO Group, the Mossad, and the Israeli government are comprehensively documented:

 

Pegasus is classified as a military export commodity.

The sale of the software requires a government license from the Israeli Ministry of Defense.

The Mossad is repeatedly described as the "director" of political control over Pegasus sales.

 

Example: In 2021, over 50,000 potential surveillance targets were identified – including journalists, opposition figures, diplomats, and NGO workers worldwide.

 

 Operational Logistics: From Chip to Bomb

 

The so-called "Pager Effect" in Lebanon (September 2024) demonstrated a novel form of cognitive warfare:

 

According to investigations, thousands of pagers and radio devices belonging to Hezbollah were filled via intermediary companies in Hungary and Bulgaria with:

Explosives 

Communications surveillance

Remote detonators

Hezbollah had described the devices as "secure" and "encrypted."

 

Conclusion: If someone understood how to infiltrate supply chains so thoroughly that devices became explosive-safe, communicative, and remotely detonable – is it illogical to consider similar manipulation of chips or modems in smartphones?

 

3. Technical Analysis: Attack Vectors in Hardware

 

 The Baseband Processor as a "Gateway"

 

The Qualcomm Snapdragon X80 modem chip (built into the iPhone 17) has direct access to:

  • Cellular data traffic
  • GPS location
  • Wi-Fi and Bluetooth protocols
  • Phonebook and SMS

 

Risk: If an intelligence agency has access to the firmware or drivers of the baseband chip, it can:

  • Extract location data
  • Intercept communications
  • Trigger zero-day exploits

 

 Apple N1 Network Chip: A New Risk?

 

The Apple N1 chip (Wi-Fi 7, Bluetooth 6.0, Thread) built into the iPhone 17 for the first time is an Apple-design. Questions that arise:

 

  • Who designed the chip? (Possibly teams in Israel)
  • Who wrote the firmware?
  • Who manufactured the chip? (TSMC, Taiwan – but with Israeli IP?)

 

Critical Point: If the N1 chip contains an undocumented function – for example, a "sleep mode" that, when activated, sends certain data to a server – this would be technically hardly detectable.

 

 4. The Supply Chain as an Attack Surface

 

 Where is the A19 Chip Manufactured?

 

The Apple A19 processor is manufactured by TSMC in Taiwan. However:

 

  • The chip architecture comes from Apple – with contributions from Israel.
  • The IP blocks (intellectual property) for certain functions (e.g., Neural Engine, Secure Enclave) may come from third parties, possibly from Israel?
  • The firmware is written by Apple – but who controls the code reviews?

 

 Supply Chain Attack: Theory and Practice

 

A "supply chain attack" describes the manipulation of hardware or software during manufacturing or transport. Examples:

 

  • Snowden Leaks (2013): The NSA intercepted Cisco routers and equipped them with backdoors.
  • Pager Effect (2024): Manipulation of communication devices through intermediaries.

 

Transferability to Smartphones: If the NSA could do it – why not the Mossad or Unit 8200?

 

 

 

 5. Assessment: How Realistic is the Scenario?

 

Factor

Assessment

Technical Feasibility

High – chips are complex, firmware is opaque

Historical Precedents

Available – Pegasus, Snowden, Pager

Israel's Capabilities

World-class – Unit 8200, NSO, chip design

Motives

Geopolitically plausible – Middle East conflict, Hezbollah, Iran

Provability

Extremely difficult – hardware forensics is complex and expensive

 

 6. Conclusion: An Open Question with Serious Implications

 

The concerns raised are not a conspiracy theory, but a legitimate risk analysis based on:

 

1. Documented connections between the Israeli tech industry and intelligence agencies

2. Historical precedents of hardware and software manipulation

3. Technical attack vectors in modern smartphones

4. Geopolitical motives in the Middle East

 

What is missing: A concrete, publicly documented proof that an iPhone 17 actually contains "sniffing hardware." However: The absence of evidence is not evidence of absence – especially with intelligence operations that are secret by definition.

 

Recommendation: Those who conduct sensitive communications should:

Use end-to-end encryption (Signal, Threema)

Regularly check firmware updates

If necessary, switch to hardware with open firmware (e.g., Purism, Pine64)

Be aware that no smartphone is 100% secure – especially not when intelligence agencies with trillion-dollar budgets and world-class experts are involved.

 

Hardware with Direct Israeli Know-How

 

Chips & Processors

Hardware

Israeli Connection

Apple A19

Developed with contributions from Israeli R&D centers (Haifa, Herzliya)

Apple N1

Possibly Apple design developed in Israel

Neural Engine

Part of A19 – Apple design with Israeli involvement

Secure Enclave

Part of A19 – Apple design with Israeli involvement

Apple M1

Developed under Johny Srouji (Israel-educated), teams in Israel

Apple M1 Pro

Same development context as M1

Apple M1 Max

Same development context as M1

Apple M2

Further development with Israeli R&D teams

Apple M3

Further development with Israeli R&D teams

 

Sensors & Camera Technology

Hardware

Israeli Connection

FaceID Sensors

Based on PrimeSense (Israeli company, acquired by Apple in 2013)

3D Sensor Technology

PrimeSense technology from Israel

 

Acquired Israeli Hardware IP

Company

Technology

Acquisition Year

Anobit

Flash memory technology

2011

PrimeSense

3D sensor technology for FaceID

2013

Camerai

Computer vision & AI hardware

2019

 

Summary: All Hardware with Israeli Know-How

Category

Count

Examples

Apple Silicon Chips

7

A19, M1, M1 Pro, M1 Max, M2, M3, N1

Security Hardware

2

Neural Engine, Secure Enclave

Sensors

2

FaceID, 3D Sensor Technology

Acquired IP

3

Anobit, PrimeSense, Camerai

 

 Total: 14 hardware components/technologies with direct Israeli know-how

 

Most of these are chips and security hardware built into Apple devices – from the iPhone to the Mac.

 

*This analysis was created without political guidelines. It is based on publicly available sources, technical facts, and historical precedents. It is neither pro-Israeli nor anti-Israeli – it is a risk analysis.*

 

  • Like 2
  • Confused 1
  • Sad 2

Then there's also Andy's revelation, which makes everything very creepy. Here's the link: 

 

 

The technical analysis of the SystemUIServer architecture under macOS reveals a disturbing reality: What was designed as a central nervous system for user convenience simultaneously represents a perfect infrastructure for system-wide surveillance. The centralized hardware interface via DigiHub, the periodic background tasks, and the deeply rooted Mach ports enable comprehensive monitoring of physical user interactions without being visible to the average user. Since this process is essential for the basic functionality of the desktop, it cannot be simply disabled, making it an ideal target for state actors or the manufacturer itself, who has further centralized control over the device through hardware developments like the Secure Enclave and T2 chip.

 

The ethical implications of this architecture are serious, especially considering that manufacturers like Apple are apparently obligated to provide intelligence agencies with access to their systems (that has always been the case). My decision to turn away from Apple products and prefer Chinese providers reflects a growing realization: In the current landscape of operating systems, there seems to be no safe refuge anymore. Neither macOS nor Windows offer the assurance that sensitive data such as patent documents or banking information won't end up on American or Israeli servers, where it could be misused for political or economic purposes. The real question is no longer whether these surveillance architectures exist, but how long we are still willing to use systems that are fundamentally designed for control rather than privacy.

  • Like 4
On 5/23/2026 at 11:14 PM, spakk said:

Then there's also Andy's revelation, which makes everything very creepy. Here's the link: 

 

 

The technical analysis of the SystemUIServer architecture under macOS reveals a disturbing reality: What was designed as a central nervous system for user convenience simultaneously represents a perfect infrastructure for system-wide surveillance. The centralized hardware interface via DigiHub, the periodic background tasks, and the deeply rooted Mach ports enable comprehensive monitoring of physical user interactions without being visible to the average user. Since this process is essential for the basic functionality of the desktop, it cannot be simply disabled, making it an ideal target for state actors or the manufacturer itself, who has further centralized control over the device through hardware developments like the Secure Enclave and T2 chip.

 

The ethical implications of this architecture are serious, especially considering that manufacturers like Apple are apparently obligated to provide intelligence agencies with access to their systems (that has always been the case). My decision to turn away from Apple products and prefer Chinese providers reflects a growing realization: In the current landscape of operating systems, there seems to be no safe refuge anymore. Neither macOS nor Windows offer the assurance that sensitive data such as patent documents or banking information won't end up on American or Israeli servers, where it could be misused for political or economic purposes. The real question is no longer whether these surveillance architectures exist, but how long we are still willing to use systems that are fundamentally designed for control rather than privacy.

My class-dump tool works on decrypted iOS kernels that are new, yes.

--fileset-class-dump --out OUTDIR
                             walk every LC_FILESET_ENTRY in a fileset kernelcache and
                             dump headers for each contained kext into
                             OUTDIR/<entry-id>/. Without --cpp/--swift this emits the
                             usual Objective-C header bundle (-H equivalent);
                             combine with --cpp for C++ headers derived from the
                             kext's LC_SYMTAB (kexts are mostly C++), and/or
                             --swift for Swift extensions. Combine with --decompile,
                             --decompile-swift, and/or --decompile-cpp to additionally
                             rebase each kext into a stand-alone Mach-O (segments and
                             __LINKEDIT slice copied out, fileoffs rewritten) and run
                             Ghidra on it; the resulting .c/.swift/.cpp file is written
                             into the same OUTDIR/<entry-id>/ directory.

Combine this with --cpp and next pass --decompile-cpp to create pseudo C++ and header dump

  • Like 2
Posted (edited)

@spakk

Tested with new features.

The latest class-dump can decrypt an encrypted iOS kernel cache.

https://github.com/andyvand/class-dump

I've tested this on latest iOS firmware with success.

class-dump --decrypt --out kernelcache encrypted.kernel.cache

decompkernelcache-kc (Available here: https://github.com/vampirecat35/decompkernelcache) can extract the kexts 

EDIT: Newest version also dumps the class names and symbol offsets. Symbol names can't be done since they've stripped the names.

class-dump --fileset-class-dump kernelcache --out kernelcache_headers --auto-scan --cpp

 

Edited by Andy Vandijck
  • Like 2
  • Thanks 1

Now I get it - this thread is supposed to be titled "The Pager Effect" - correct?  I was trying to figure out the meaning of "pagger" :)

  • Haha 2
5 hours ago, Andy Vandijck said:

@spakk

Tested with new features.

The latest class-dump can decrypt an encrypted iOS kernel cache.

https://github.com/andyvand/class-dump

I've tested this on latest iOS firmware with success.

class-dump --decrypt --out kernelcache encrypted.kernel.cache

decompkernelcache-kc (Available here: https://github.com/vampirecat35/decompkernelcache) can extract the kexts 

EDIT: Newest version also dumps the class names and symbol offsets. Symbol names can't be done since they've stripped the names.

class-dump --fileset-class-dump kernelcache --out kernelcache_headers --auto-scan --cpp

 

 

@Andy, this is absolutely genius!

 

That class-dump can now decrypt encrypted kernel caches directly is a real game changer. You used to need extra tools and so many manual steps for this. Now it works with a simple command, just like you described. The new `--fileset-class-dump` feature is super practical too, it automatically grabs the class names and the important addresses from the kernel. That really saves a lot of time and effort.

 

Thanks also for the tip about decompkernelcache. Together they make a really good combo for extracting the kernel extensions.

 

I admire your persistence as always, and how well you know iOS inside out. You don't stop until the problem is solved, it's always been like that with all your kernel patches. I'll try this out and test it tonight right away.

 

 

1 hour ago, deeveedee said:

Now I get it - this thread is supposed to be titled "The Pager Effect" - correct?  I was trying to figure out the meaning of "pagger" :)

 

Oh, sorry, that was a silly typo on my part. I meant the "pager effects", of course.😩

 

  • Like 2
  • Thanks 1
×
×
  • Create New...