Israeli Firm’s “No-Click” Exploits Hacked Activists’ Fully Updated iPhones


The exploits

fake images

Smartphones belonging to more than three dozen journalists, human rights activists and business executives have been infected with powerful spyware sold by an Israeli company, allegedly to catch terrorists and criminals, The Washington Post and other publications reported. .

The phones were infected with Pegasus, a full-featured spyware developed by the NSO Group. The Israel-based exploit vendor has come under intense scrutiny in recent years after repressive governments in the United Arab Emirates, Mexico and other countries were found to be using the malware against journalists, activists and other groups not affiliated with the Israelite. terrorism or crime.

Pegasus is frequently installed via “zero-click” exploits, such as those sent by text messages, that do not require interaction from victims. After exploits surreptitiously jailbreak or root a target’s iPhone or Android device, Pegasus immediately scans a large amount of the device’s resources. Copy call histories, text messages, calendar entries and contacts. It is capable of activating the cameras and microphones of compromised phones to eavesdrop on nearby activities. It can also track a target’s movements and steal messages from end-to-end encrypted chat apps.

iPhone 12 with iOS 14.6 shot down

According to an investigation jointly conducted by 17 news organizations, Pegasus infected 37 phones belonging to people who do not meet the criteria that NSO says are required for its powerful spyware to be used. Among the victims were journalists, human rights activists, business executives and two women close to the murdered Saudi journalist Jamal Khashoggi. according to The Washington Post. Technical analysis of International Amnesty and the University of Toronto Citizen lab confirmed infections.

“The Pegasus attacks detailed in this report and the accompanying annexes are from 2014 to July 2021,” Amnesty International researchers. wrote. “These also include so-called ‘zero click’ attacks that do not require any interaction from the target. Zero click attacks have been observed since May 2018 and continue until now. More recently, a successful ‘zero click’ attack has been observed exploiting multiple zero days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021. “

The 37 infected devices were included in a list of more than 50,000 phone numbers. It is unknown who put the numbers, why they did it and how many of the phones were actually attacked or surveilled. However, a forensic analysis of all 37 phones often shows a close correlation between the timestamps associated with a number on the list and the monitoring of the time the corresponding phone started, in some cases as short as a few seconds. .

Amnesty International and a Paris-based non-profit journalistic organization called Forbidden Stories had access to the list and shared it with news organizations, which they continued to investigate and analyze.

Reporters identified more than 1,000 people in more than 50 countries whose numbers were included on the list. The victims included members of the Arab royal family, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials, including cabinet ministers, diplomats, and military and security officials. The numbers of various heads of state and prime ministers also appeared on the list. The Guardian, Meanwhile, said that 15,000 politicians, journalists, judges, activists and teachers in Mexico appear on the leaked list.

As it was detailed here, hundreds of journalists, activists, academics, lawyers and even world leaders appear to have been targeted. The journalists on the list worked for major news organizations, including CNN, Associated Press, Voice of America, The New York Times, The Wall Street Journal, Bloomberg News, Le Monde in France, Financial Times in London, and Al Jazeera in Qatar. . .

“The target of the 37 smartphones would appear to conflict with the stated purpose of the Pegasus spyware NSO license, which the company says is intended only to target terrorists and top criminals,” the Washington Post said Sunday. “The evidence gleaned from these smartphones, revealed here for the first time, calls into question the promises of the Israeli company to monitor its customers for human rights abuses.”

NSO pushes back

NSO officials are pushing hard on the investigation. in a statement, they wrote:

The Forbidden Stories report is full of flawed assumptions and unsubstantiated theories that raise serious questions about the reliability and interests of the sources. It appears that the “unidentified sources” have provided information that has no factual basis and [is] far from reality.

After verifying your claims, we strongly deny the false allegations made in your report. Their sources have provided them with information that has no factual basis, as evidenced by the lack of supporting documentation for many of their claims. In fact, these allegations are so outrageous and far from reality that NSO is considering a libel lawsuit.

NSO Group has good reason to believe that claims made by anonymous sources to Forbidden Stories are based on [a] Misleading data interpretation of accessible and open basic information, such as HLR search services, that have no relation to the Pegasus customer target list or any other NSO product. Such services are openly available to anyone, anywhere, at any time and are commonly used by government agencies for numerous purposes, as well as private companies around the world.

The claims that data was leaked from our servers is a complete lie and ridiculous, as such data never existed on any of our servers.

In their own statement, Apple officials wrote:

Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For more than a decade, Apple has led the industry in security innovation, and as a result, security researchers agree that the iPhone is the most secure consumer mobile device on the market. Attacks such as those described are highly sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals. While that means they are not a threat to the vast majority of our users, we continue to work tirelessly to defend all of our customers and are constantly adding new protections for their devices and data.

Recidivist

This is not the first time that NSO has come under international criticism when its Pegasus spyware was found to target journalists, dissidents and others with no clear links to crime or terrorism. NSO spyware came to light in 2016 when Citizen Lab and security firm Lookout found it targeting a political dissident in the United Arab Emirates.

Investigators at the time determined that text messages sent to UAE dissident Ahmed Mansoor exploited what were three iPhone zero-day vulnerabilities to install Pegasus on his device. Mansoor forwarded the messages to Citizen Lab researchers, who determined that the linked web pages led to a string of exploits that would have jabbed his iPhone and installed Pegasus spyware.

Eight months later, Lookout and Google researchers recovered an Android version of Pegasus.

In 2019, Google’s Project Zero exploit research team found that NSO exploited zero-day vulnerabilities that provided full control of Android devices with full patches. Days later, Amnesty International and Citizen Lab revealed that the mobile phones of two prominent human rights activists were repeatedly attacked by Pegasus. That same month, Facebook sued NSO, allegedly over attacks that used clickless exploits to compromise the phones of WhatsApp users.

Last December, Citizen Lab said that a no-click attack developed by NSO exploited what had been a zero-day vulnerability in Apple’s iMessage to target 36 journalists.

The exploits that NSO and similar companies sell are extremely complex, expensive to develop, and even more expensive to buy. Smartphone users are unlikely to be on the receiving end of one of these attacks unless they are in the crosshairs of a wealthy government or law enforcement agency. People in the latter category should seek guidance from security experts on how to protect their devices.


arstechnica.com

Leave a Reply

Your email address will not be published. Required fields are marked *