Promotional image of iPhone.

Three dozen journalists had their iPhones hacked in July and August using what at the time was an iMessage zero-day exploit that didn’t require the victims to take any action to be infected, researchers said.

The exploit and the payload it installed were developed and sold by NSO Group, according to a report published Sunday by Citizen Lab, a group at the University of Toronto that researches and exposes hacks on dissidents and journalists. NSO is a maker of offensive hacking tools that has come under fire over the past few years for selling its products to groups and governments with poor human rights records. NSO has disputed some of the conclusions in the Citizen Lab report.

The attacks infected the targets’ phones with Pegasus, an NSO-made implant for both iOS and Android that has a full range of capabilities, including recording both ambient audio and phone conversations, taking pictures, and accessing passwords and stored credentials. The hacks exploited a critical vulnerability in the iMessage app that Apple researchers weren’t aware of at the time. Apple has since fixed the bug with the rollout of iOS 14.

More successful, more covert

Over the past few years, NSO exploits have increasingly required no user interaction—such as visiting a malicious website or installing a malicious app—to work. One reason these so-called zero-click attacks are effective is that they have a much higher chance of success, since they can strike targets even when victims have considerable training in preventing such attacks.

In 2019, Facebook alleges, attackers exploited a vulnerability in the company’s WhatsApp messenger to target 1,400 iPhones and Android devices with Pegasus. Both Facebook and outside researchers said the exploit worked simply by calling a targeted device. The user need not have answered the device, and once it was infected, the attackers could clear any logs showing that a call attempt had been made.

Another key benefit of zero-click exploits is that they’re much harder for researchers to track afterward.

“The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance,” Citizen Lab researchers Bill Marczak, John Scott-Railton, Noura Al-Jizawi, Siena Anstis, and Ron Deibert wrote. “Although this is a predictable technological evolution, it increases the technological challenges facing both network administrators and investigators.”

Elsewhere in the report, the authors wrote:

More recently, NSO Group is shifting towards zero-click exploits and network-based attacks that allow its government clients to break into phones without any interaction from the target, and without leaving any visible traces. The 2019 WhatsApp breach, where at least 1,400 phones were targeted via an exploit sent through a missed voice call, is one example of such a shift. Fortunately, in this case, WhatsApp notified targets. However, it is more challenging for researchers to track these zero-click attacks because targets may not notice anything suspicious on their phone. Even if they do observe something like “weird” call behavior, the event may be transient and not leave any traces on the device.

The shift towards zero-click attacks by an industry and customers already steeped in secrecy increases the likelihood of abuse going undetected. Nevertheless, we continue to develop new technical means to track surveillance abuses, such as new techniques of network and device analysis.

Citizen Lab said it has concluded with medium confidence that some of the attacks it uncovered were backed by the government of the United Arab Emirates and other attacks by the government of Saudi Arabia. The researchers said they suspect the 36 victims they identified—including 35 journalists, producers, anchors, and executives at Al-Jazeera and one journalist at Al Araby TV—are only a small fraction of people targeted in the campaign.

NSO responds

In a statement, an NSO spokesperson wrote:

This memo is based, once again, on speculation and lacks any evidence supporting a connection to NSO. Instead it relies on assumptions made solely to fit Citizen Lab’s agenda.

NSO provides products that enable governmental law enforcement agencies to tackle serious organized crime and counterterrorism only, and as stated in the past we do not operate them.
However, when we receive credible evidence of misuse with enough information which can enable us to assess such credibility, we take all necessary steps in accordance with our investigation procedure in order to review the allegations.

Unlike Citizen Lab, which only has ‘medium confidence’ in their own work, we KNOW our technology has saved the lives of innocent people around the world.

We question whether Citizen Lab understands that by pursuing this agenda, they are providing irresponsible corporate actors as well as terrorists, pedophiles, and drug cartel bosses with a playbook for how to avoid law enforcement.

NSO, meanwhile, will continue to work tirelessly to make the world a safer place.

As noted earlier, zero-click zero-days are difficult if not impossible to prevent even by users with extensive security training. As potent as these exploits are, their high cost and difficulty in procuring them means that they’re used against only a small population of people. That means the vast majority of mobile device users are unlikely to ever be targeted by these types of attacks.

In a statement, Apple representatives wrote, “At Apple, our teams work tirelessly to strengthen the security of our users’ data and devices. iOS 14 is a major leap forward in security and delivered new protections against these kinds of attacks. The attack described in the research was highly targeted by nation-states against specific individuals. We always urge customers to download the latest version of the software to protect themselves and their data.”

An Apple spokesman said the company has not been able to independently verify the Citizen Lab findings.

Researchers have yet to determine the precise iOS vulnerability used in these attacks, but Citizen Lab says the exploits don’t work against iOS 14, which was released in September. Anyone still using an older version should upgrade.