“Clickless” exploits from Israeli firm hacked activists’ fully updated iPhones

Smartphones belonging to more than three dozen journalists, human rights activists, and business executives have been infected with powerful spyware that an Israeli firm sells, purportedly to catch terrorists and criminals, The Washington Post and other publications reported.

The handsets were infected with Pegasus, full-featured spyware developed by NSO Group. The Israel-based exploit seller has come under intense scrutiny in recent years after repressive governments in the United Arab Emirates, Mexico, and other countries have been found using the malware against journalists, activists, and other groups not affiliated with terrorism or crime.

Pegasus is frequently installed through “zero-click” exploits, such as those sent by text messages, which require no interaction from victims. After the exploits surreptitiously jailbreak or root a target’s iPhone or Android device, Pegasus immediately trawls through a wealth of the device’s resources. It copies call histories, text messages, calendar entries, and contacts. It is capable of activating the cameras and microphones of compromised phones to eavesdrop on nearby activities. It can also track a target’s movements and steal messages from end-to-end encrypted chat apps.

iPhone 12 running iOS 14.6 felled

According to research jointly done by 17 news organizations, Pegasus infected 37 phones belonging to people who don’t meet the criteria NSO says is required for its powerful spyware to be used. Victims included journalists, human rights activists, business executives, and two women close to murdered Saudi journalist Jamal Khashoggi, according to The Washington Post. Technical analysis from Amnesty International and the University of Toronto’s Citizen Lab confirmed the infections.

“The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021,” Amnesty International researchers wrote. “These also include so-called ‘zero-click’ attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now. Most recently, a successful ‘zero-click’ attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.”

All 37 infected devices were included in a list of more than 50,000 phone numbers. It remains unknown who put the numbers on it, why they did so, and how many of the phones were actually targeted or surveilled. A forensic analysis of the 37 phones, however, often shows a tight correlation between time stamps associated with a number on the list and the time surveillance began on the corresponding phone, in some cases as brief as a few seconds.

Amnesty International and a Paris-based journalism nonprofit called Forbidden Stories had access to the list and shared it with the news organizations, which went on to do further research and analysis.

Reporters identified more than 1,000 people in more than 50 countries whose numbers were included on the list. Victims included Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials—including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list. The Guardian, meanwhile, said 15,000 politicians, journalists, judges, activists, and teachers in Mexico appear on the leaked list.

As detailed here, hundreds of journalists, activists, academics, lawyers, and even world leaders appear to have been targeted. Journalists on the list worked for leading news organizations, including CNN, the Associated Press, Voice of America, The New York Times, The Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London, and Al Jazeera in Qatar.

“The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals,” Sunday’s Washington Post said. “The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.”

NSO pushes back

NSO officials are pushing back hard on the research. In a statement, they wrote:

The report by Forbidden Stories is full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources. It seems like the “unidentified sources” have supplied information that has no factual basis and [is] far from reality.

After checking their claims, we firmly deny the false allegations made in their report. Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims. In fact, these allegations are so outrageous and far from reality that NSO is considering a defamation lawsuit.

NSO Group has a good reason to believe the claims that are made by the unnamed sources to Forbidden Stories are based on [a] misleading interpretation of data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products. Such services are openly available to anyone, anywhere, and anytime and are commonly used by governmental agencies for numerous purposes, as well as by private companies worldwide.

The claims that the data was leaked from our servers is a complete lie and ridiculous, since such data never existed on any of our servers.

In its own statement, Apple officials wrote:

Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.

Repeat offender

This is by no means the first time that NSO has come under international criticism when its Pegasus spyware was found targeting journalists, dissidents, and others with no clear ties to crime or terrorism. The NSO spyware came to light in 2016 when Citizen Lab and security firm Lookout found it targeting a political dissident in the United Arab Emirates.

Researchers at the time determined that text messages sent to UAE dissident Ahmed Mansoor exploited what were three iPhone zero-day vulnerabilities to install Pegasus on his device. Mansoor forwarded the messages to Citizen Lab researchers, who determined that the linked webpages led to a chain of exploits that would have jailbroken his iPhone and installed the Pegasus spyware.

Eight months later, researchers from Lookout and Google retrieved a Pegasus version for Android.

In 2019, Google’s Project Zero exploit research team found NSO exploiting zero-day vulnerabilities that gave full control of fully patched Android devices. Days later, Amnesty International and Citizen Lab disclosed that the mobile phones of two prominent human rights activists were repeatedly targeted with Pegasus. That same month, Facebook sued NSO, allegedly for attacks that used clickless exploits to compromise WhatsApp users’ phones.

Last December, Citizen Lab said a clickless attack developed by NSO exploited what had been a zero-day vulnerability in Apple’s iMessage to target 36 journalists.

The exploits that NSO and similar firms sell are extremely complex, costly to develop, and even more expensive to purchase. Smartphone users are unlikely to ever be on the receiving end of one of these attacks unless they are in the crosshairs of a wealthy government or law enforcement agency. People in this latter category should seek guidance from security experts on how to secure their devices.