Security researchers at Citizen Lab have discovered an exploit that they believe has been used by government clients of NSO Group, the Israeli spyware company, to silently hack into iPhones and other Apple devices since February 2021.
The discovery, which was made as the researchers were examining the mobile phone of a Saudi activist, was shared with Apple, which on Monday released a patch to fix the vulnerability.
Researchers said the speed with which Apple was seeking to fix the vulnerability to its operating system, which in effect has allowed the latest iPhones and operating systems to be vulnerable to attack by NSO Group’s government clients, underscored the “absolute seriousness” of their findings.
“Today is going to be a rough day at NSO because the lights are going to go out on one of their most productive exploits,” said John Scott-Railton, a senior Citizen Lab researcher.
When it is successfully deployed against a target, NSO Group’s spyware, called Pegasus, can silently hack into a phone, collect a user’s personal and private information, intercept calls and messages, and even turn a mobile phone into a remote listening device.
NSO Group has said that its spyware is only meant to be used by licensed law enforcement agencies to target criminals and terrorists. But investigations – including the recent publication of the Pegasus Project by the Guardian and other outlets – have revealed ways in which the spyware has been used by government clients to target journalists and human rights activists around the world.
Asked for comment, NSO Group issued a statement saying: “NSO Group will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”
Citizen Lab said it was able to make a “high-confidence attribution” that the exploit had been created by NSO Group because they observed “multiple distinctive elements” in the spyware. An exploit is a technical vulnerability that allows spyware to infect a phone, and the code of the exploit discovered by Citizen Lab contained a specific bug that the researchers had only ever associated with NSO Group’s Pegasus in the past.
“We believe that the bug is distinctive enough to point back to NSO,” Citizen Lab said in a blog post.
The researchers also found that the spyware, which they have called FORCEDENTRY, used multiple process names – identifying features of the malware code – including one that was used in a previous attack that used NSO Group spyware on an Al Jazeera journalist in July 2020.
NSO Group has said it cannot reveal the identity of its clients. But the Guardian has previously reported that NSO Group dropped Saudi Arabia as a client in the wake of Citizen Lab’s report that the kingdom was the likely culprit behind dozens of attacks against Al Jazeera journalists in 2020.
The development marks more bad news for Apple. Forensic examinations of mobile phones conducted both by Citizen Lab and Amnesty International’s security lab have found that even the most up to date iPhones, using the most up to date operating system, have been vulnerable to attacks by Pegasus.
Ivan Krstić, head of Apple security engineering and architecture, said in a statement to the Guardian: “After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”
He added: “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Citizen Lab said in its statement that the company was releasing a fix for the exploit on Monday, and urged all Apple users to update devices as soon as possible, including all Apple devices that use iOS versions prior to 14.8.
The exploit discovered by Citizen Lab is known as a “zero-day” vulnerability, which allows users of the spyware to infect a phone without the user having any idea that their mobile phones have been hacked. In this case, the FORCEDENTRY exploit used a weakness in Apple’s iMessage function to silently send corrupt files to a phone that appeared to be GIF extensions, but were actually Adobe PDF files containing malicious code.
“Our latest discovery of yet another Apple zero-day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies,” researchers said.
Bill Marczak, who first discovered the exploit at Citizen Lab, said the findings also highlighted the importance of securing popular messaging apps, which were increasingly being used as a target by sophisticated threat actors.
“As presently engineered, many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited,” Citizen Lab said.