Zero-click iMessage zeroday used to hack the iPhones of 36 journalists

Promotional image of the iPhone.

Thirty journalists had their iPhone hacked in July and August using what at the time was a zeroday iMessage operation that did not require victims to take any action to become infected, the researchers said.

The operation and the cargo it installed were developed and sold by the NSO Group, according to a report released Sunday by Citizen Lab, a group at the University of Toronto that investigates and exposes hacks on dissidents and journalists. NSO is a manufacturer of offensive piracy tools that has come under fire in recent years for selling its products to groups and governments with poor human rights records. The NSO challenged some of the findings in the Citizen Lab report.

The attacks infected target phones with Pegasus, an NSO-made implant for both iOS and Android that has a full range of capabilities, including recording both ambient audio conversations and phone calls, taking photos and accessing passwords. and stored accreditation. The hacks exploited a critical vulnerability in the iMessage application that Apple researchers were unaware of at the time. Since then, Apple has fixed the bug with the release of iOS 14.

More successful, more hidden

In recent years, NSO operations have not required more and more user interaction – such as visiting a malicious website or installing a malicious application – in order to function. One of the reasons why so-called zero-click attacks are effective is that they have a much better chance of success, as they can hit targets even when the victims have considerable training in preventing such attacks.

In 2019, Facebook claims that the attackers exploited a vulnerability in the company’s messenger to target 1,400 iPhones and Android devices with Pegasus. Both Facebook and external researchers said the operation worked simply by calling a targeted device. The user does not have to answer the device and, once infected, the attackers were able to delete any log showing that a call attempt was made.

Another key advantage of zero-click operations is that researchers are much harder to track later.

“The current trend toward zero-click infection vectors and more sophisticated forensic capabilities is part of a broader shift across the industry to more sophisticated and less detectable surveillance,” Citizen Lab researchers Bill Marczak and John Scott said. -Railton, Noura Al -Jizawi, Siena Anstis and Ron Deibert wrote. “Although this is a predictable technological development, it increases the technological challenges faced by both network administrators and investigators.”

Elsewhere in the report, the authors wrote:

More recently, the NSO group is moving towards zero-click exploits and network-based attacks, which allow its government customers to break into phones without any interaction with the target and without leaving visible traces. The 2019 WhatsApp violation, in which at least 1,400 phones were targeted by an exploit sent via a missed voice call, is an example of such a change. Fortunately, in this case, WhatsApp has notified targets. However, it is more difficult for researchers to track these zero-click attacks, as targets may not notice anything suspicious on their phone. Even if you notice something like “strange” calling behavior, the event may be transient and leave no marks on the device.

Switching to zero-click attacks on an industry and already secretive customers increases the likelihood that abuse will go undetected. However, we continue to develop new technical means of tracking surveillance abuses, such as new network and device analysis techniques.

Citizen Lab said it concluded with average confidence that some of the attacks it discovered were supported by the United Arab Emirates government and other attacks by the Saudi government. Researchers said they suspected that the 36 victims they identified – including 35 journalists, producers, anchors and directors from Al-Jazeera and a journalist from Al Araby TV – were only a small part of those targeted in the campaign. .

NSO answers

In a statement, a spokesman for the ONS wrote:

This note is, once again, based on speculation and has no evidence to support a connection with the NSO. Instead, it relies on assumptions made exclusively to fit the Citizen Lab agenda.

The NSO provides products that allow government law enforcement agencies to address only serious organized crime and the fight against terrorism, and as has been stated in the past, we do not operate them.
However, when we receive credible evidence of misuse of sufficient information that may allow us to assess such credibility, we take all necessary steps in accordance with our investigative procedure to review the allegations.

Unlike Citizen Lab, which has only “average confidence” in their own work, we know that our technology has saved the lives of innocent people around the world.

We wonder if Citizen Lab understands that by pursuing this agenda, it provides irresponsible corporate actors, as well as terrorists, pedophiles and drug cartel bosses, with a handbook to avoid law enforcement.

In the meantime, the NSO will continue to work tirelessly to make the world a safer place.

As mentioned earlier, zero-click zero days are difficult, if not impossible, even for users with extensive security training. However powerful these exploits are, their high cost and difficulty in procuring them mean that they are only used against a small population of people. This means that the vast majority of mobile device users are unlikely to ever be targeted by these types of attacks.

In a statement, Apple officials wrote: “At Apple, our teams work tirelessly to enhance the security of our users’ data and devices. iOS 14 is a major leap in security and has offered new protections against these types of attacks. The attack described in the research was highly targeted by nation states against certain people. We always urge customers to download the latest version of the software to protect themselves and their data. “

An Apple spokesman said the company had failed to independently verify Citizen Lab’s findings.

Researchers have not yet established the exact iOS vulnerability used in these attacks, but Citizen Lab says the exploits do not work against iOS 14, which was released in September. Anyone using an older version should upgrade.