Skip to content

Citizen Lab security researchers have uncovered an exploit they say has been used by government clients of NSO Group, the Israeli spyware company, to silently hack iPhones and other Apple devices since February 2021.

The discovery, which was made while researchers were examining a Saudi activist’s cell phone, was shared with Apple, which released a patch to fix the vulnerability on Monday.

The researchers said the speed with which Apple sought to fix the vulnerability of its operating system, which in fact made the latest iPhones and operating systems vulnerable to attacks from NSO Group’s government customers, pointed out. the “absolute gravity” of their conclusions.

“Today is going to be a tough day at NSO as the lights are going to go out on one of their most productive exploits,” said John Scott-Railton, senior researcher at Citizen Lab.

When successfully deployed against a target, NSO Group’s spyware called Pegasus can silently hack into a phone, collect a user’s personal and private information, intercept calls and messages, and even transform a phone. mobile into a remote listening device.

NSO Group has stated that its spyware is only intended for use by licensed law enforcement agencies to target criminals and terrorists. But investigations – including the recent publication of the Pegasus Project by the Guardian and other media – have revealed ways the spyware has been used by government clients to target journalists and human rights activists around the world.

Asked for comment, NSO Group released a statement saying, “NSO Group will continue to provide intelligence and law enforcement agencies around the world with vital technologies to fight terrorism and crime.”

Citizen Lab said it was able to make a “high confidence attribution” that the exploit was created by NSO Group because they observed “several distinctive elements” in the spyware. An exploit is a technical vulnerability that allows spyware to infect a phone, and the exploit code discovered by Citizen Lab contained a specific bug that researchers had associated only with NSO Group’s Pegasus in the past. .

“We believe the bug is distinctive enough to link to NSO,” Citizen Lab said in a blog post.

The researchers also found that the spyware, which they named FORCEDENTRY, used multiple process names – identifying characteristics of the malicious code – including one that was used in a previous attack that used NSO Group spyware. against an Al Jazeera reporter in July 2020.

NSO Group said it could not reveal the identity of its customers. But the Guardian previously reported that NSO Group had abandoned Saudi Arabia as a client following Citizen Lab’s report that the kingdom was likely responsible for dozens of attacks on Al Jazeera journalists in 2020.

The development marks more bad news for Apple. Forensic cell phone examinations conducted by both Citizen Lab and Amnesty International’s security lab found that even the most recent iPhones, running the most recent operating system, were vulnerable to Pegasus attacks .

Apple did not immediately respond to a request for comment.

But Citizen Lab said it said the company was releasing a fix for the exploit on Monday and urged all Apple users to update devices as soon as possible, including all Apple devices that are using iOS versions earlier than 14.8.

The exploit discovered by Citizen Lab is known as the “zero-day” vulnerability, which allows spyware users to infect a phone without the user having any idea that their mobile phones have been hacked. In this case, the FORCEDENTRY exploit used a weakness in Apple’s iMessage feature to silently send corrupted files to a phone that appeared to be GIF extensions, but were actually Adobe PDF files that contained malicious code.

“Our latest discovery of another Apple zero-day being used as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism as a service’ for non-accountable government security agencies,” the researchers said.

Bill Marczak, who first discovered the exploit at Citizen Lab, said the findings also underscored the importance of securing popular messaging apps, which were increasingly used as targets by sophisticated threat actors. .

“As currently designed, many chat apps have become an irresistible soft target. Without an intense focus on engineering, we believe they will continue to be heavily targeted and successfully exploited,” Citizen said. Lab.

theguardian Gt