In a damning report, researchers from Canada-based Citizen Lab have revealed that the Pegasus spyware, developed by Israel-based NSO Group, compromised iPhones of dozens of journalists.
For almost a year, spyware sold by Israel’s NSO Group was allegedly armed with a computer security super-weapon: a zero-footprint, zero-click, zero-day exploit that used a vulnerability in iMessage to seize control of an iPhone at the push of a button.
That means it would have left no visible trace of being placed on target’s phones, could be installed by simply sending a message that the victim didn’t even need to click on, and worked even on phones that were running the then-latest version of iOS, the operating system for iPhones.
Researchers at the University of Toronto’s Citizen Lab said they discovered the alleged hacking tool, which has been dubbed “Kismet”. If Kismet can be thought of as the Trojan horse, used to bypass the security of an iPhone, then the soldiers inside are another piece of software sold by the NSO Group, called Pegasus, and it is frighteningly powerful, according to claims by Citizen Lab.
“We believe that (at a minimum) this version of the Pegasus spyware had the capability to track location, access passwords and stored credentials on the phone, record audio from the microphone including both ambient ‘hot mic’ recording and audio of encrypted phone calls, and take pictures via the phone’s camera.”
Citizen Lab said that it had found 37 known examples of Kismet being used by NSO clients against journalists covering news in and around the Middle East.
But, the researchers said, “given the global reach of NSO Group’s customer base, the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update, we suspect that the infections that we observed were a minuscule fraction of the total attacks used with this exploit”.
In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11.
The new Citizen Lab report further stated that the 36 journalists were hacked by four Pegasus operators, “including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates”.
Infrastructure used in these attacks included servers in Germany, France, UK, and Italy using cloud providers Aruba, Choopa, CloudSigma, and DigitalOcean.
The researchers have shared the findings with Apple and the company was looking into the issue.
In a statement, an Apple spokesperson said: “At Apple, our teams work tirelessly to strengthen the security of our users’ data and devices. iOS 14 is a major leap forward in security and delivered new protections against these kinds of attacks. The attack described in the research was highly targeted by nation states against specific individuals. We always urge customers to download the latest version of the software to protect themselves and their data.”
Apple has sought to make privacy and security major selling points for its devices. The company prides itself on not harvesting user data for commercial purposes, and makes a point of noting that there has never been any widespread malware in the history of the iPhone. As far back as 2014, the Apple CEO, Tim Cook, was attacking Google’s Android on stage at his company’s worldwide developers’ conference by noting that the platform “dominates” the mobile malware market, calling it a “toxic hellstew of vulnerabilities”.
But in recent years, the gap between Apple and its competitors has closed. And as more security researchers have focused on mobile devices, embarrassing vulnerabilities have been discovered.
On its part the NSO Group spokesperson has been quoted as “This is the first we are hearing of these assertions. As we have repeatedly stated, we do not have access to any information related to the identities of individuals upon whom our system is alleged to have been used to conduct surveillances”.
Counting the 36 cases revealed in the new report, there are now at least 50 publicly known cases of journalists and others in media targeted with NSO spyware, with attacks observed as recently as August 2020.
The NSO Group is currently embroiled in a legal battle with Facebook, which last year accused that the Israeli spyware maker used Pegasus in WhatsApp to infect some 1,400 people, mostly celebrities.
Facebook has submitted detailed proof in the court about the Israeli company and the allegedly hacking into at least 1,400 WhatsApp users last year via its controversial surveillance software Pegasus.