“Clickless” exploits from Israeli firm hacked activists’ fully updated iPhones

“Clickless” exploits from Israeli firm hacked activists’ fully updated iPhones

Getty Images

reader comments

49 with 40 posters participating

Smartphones belonging to more than three dozen journalists, human rights activists, and business executives have been infected with powerful spyware that an Israeli firm sells, purportedly to catch terrorists and criminals, The Washington Post and other publications reported.

The handsets were infected with Pegasus, full-featured spyware developed by NSO Group. The Israel-based exploit seller has come under intense scrutiny in recent years after repressive governments in the United Arab Emirates, Mexico, and other countries have been found using the malware against journalists, activists, and other groups not affiliated with terrorism or crime.

Pegasus is frequently installed through “zero-click” exploits, such as those sent by text messages, which require no interaction from victims. After the exploits surreptitiously jailbreak or root a target’s iPhone or Android device, Pegasus immediately trawls through a wealth of the device’s resources. It copies call histories, text messages, calendar entries, and contacts. It is capable of activating the cameras and microphones of compromised phones to eavesdrop on nearby activities. It can also track a target’s movements and steal messages from end-to-end encrypted chat apps.

iPhone 12 running iOS 14.6 felled

According to research jointly done by 17 news organizations, Pegasus infected 37 phones belonging to people who don’t meet the criteria NSO says is required for its powerful spyware to be used. Victims included journalists, human rights activists, business executives, and two women close to murdered Saudi journalist Jamal Khashoggi, according to The Washington Post. Technical analysis from Amnesty International and the University of Toronto’s Citizen Lab confirmed the infections.

“The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021,” Amnesty International researchers wrote. “These also include so-called ‘zero-click’ attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now. Most recently, a successful ‘zero-click’ attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.”

All 37 infected devices were included in a list of more than 50,000 phone numbers. It remains unknown who put the numbers on it, why they did so, and how many of the phones were actually targeted or surveilled. A forensic analysis of the 37 phones, however, often shows a tight correlation between time stamps associated with a number on the list and the time surveillance began on the corresponding phone, in some cases as brief as a few seconds.

meanwhile, said 15,000 politicians, journalists, judges, activists, and teachers in Mexico appear on the leaked list.

As detailed here, hundreds of journalists, activists, academics, lawyers, and even world leaders appear to have been targeted. Journalists on the list worked for leading news organizations, including CNN, the Associated Press, Voice of America, The New York Times, The Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London, and Al Jazeera in Qatar.

“The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals,” Sunday’s Washington Post said. “The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.”

NSO pushes back

NSO officials are pushing back hard on the research. In a statement, they wrote:

The report by Forbidden Stories is full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources. It seems like the “unidentified sources” have supplied information that has no factual basis and [is] far from reality.

After checking their claims, we firmly deny the false allegations made in their report. Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims. In fact, these allegations are so outrageous and far from reality that NSO is considering a defamation lawsuit.

NSO Group has a good reason to believe the claims that are made by the unnamed sources to Forbidden Stories are based on [a] misleading interpretation of data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products. Such services are openly available to anyone, anywhere, and anytime and are commonly used by governmental agencies for numerous purposes, as well as by private companies worldwide.

The claims that the data was leaked from our servers is a complete lie and ridiculous, since such data never existed on any of our servers.

In its own statement, Apple officials wrote:

came to light in 2016 when Citizen Lab and security firm Lookout found it targeting a political dissident in the United Arab Emirates.

Researchers at the time determined that text messages sent to UAE dissident Ahmed Mansoor exploited what were three iPhone zero-day vulnerabilities to install Pegasus on his device. Mansoor forwarded the messages to Citizen Lab researchers, who determined that the linked webpages led to a chain of exploits that would have jailbroken his iPhone and installed the Pegasus spyware.

Eight months later, researchers from Lookout and Google retrieved a Pegasus version for Android.

In 2019, Google’s Project Zero exploit research team found NSO exploiting zero-day vulnerabilities that gave full control of fully patched Android devices. Days later, Amnesty International and Citizen Lab disclosed that the mobile phones of two prominent human rights activists were repeatedly targeted with Pegasus. That same month, Facebook sued NSO, allegedly for attacks that used clickless exploits to compromise WhatsApp users’ phones.

Last December, Citizen Lab said a clickless attack developed by NSO exploited what had been a zero-day vulnerability in Apple’s iMessage to target 36 journalists.

The exploits that NSO and similar firms sell are extremely complex, costly to develop, and even more expensive to purchase. Smartphone users are unlikely to ever be on the receiving end of one of these attacks unless they are in the crosshairs of a wealthy government or law enforcement agency. People in this latter category should seek guidance from security experts on how to secure their devices.

Article Tags:
Article Categories: