By Scott Hamilton
Senior Expert Emerging Technologies
Researchers at one of the top computer and network security labs discovered a vulnerability in the Apple iPhone operating system which resulted in a patch being issued last week. University of Toronto’s Citizen Lab that discovered the vulnerability claims it was used to plant spyware on a Saudi activist’s iPhone. They also reported that Israel’s NSO Group was behind the attack. This is a story with multiple sides and I will attempt to give a view into all of them. Like most computer security issues, there are the customer, the hardware vendor, the software vendor and another party involved. In this case the parties involved were the Saudi activist, Apple, NSO Group, Citizen Lab and the Israeli government.
The Saudi activist was the first victim in the saga. He was targeted by the Israeli government in order to gather information on his organization. However it went a little further than just impacting the victim. The Israeli government hired NSO Group, an infamous hacker-for-hire firm, to develop a hack that would allow them to spy on several iPhone users. Researchers at Citizen Lab heard about the notorious hack of the activist’s device and went to work to figure out how it was carried out.
As Citizen Lab followed the process of searching for open security holes in Apple’s IOS software over a period of about six months, they found the gaping security hole that allowed the spyware to access the device. It turned out being a much bigger issue than originally anticipated. Most spyware is inadvertently installed on a device by the user. It comes in the form of fake emails from Apple with a “patch” attached, which contains the spyware. This time the hack was carried out in a much different manner.
The vulnerability discovered by Citizen Lab affected all major Apple devices – iPhones, Macs and Apple Watches, but that is not the worst part. It was the first time a “Zero-click” exploit had been successfully caught in the wild and analyzed. The unnamed activist reached out to Citizen Lab and they were able to find the exploit on his device on September 7, 2021. Citizen Lab immediately reached out to Apple, not only explaining how the attack was carried out, but providing a method to prevent future attacks and clean up existing exploited devices. Apple was able to roll out a patch for the vulnerability on September 14, 2021.
The attacker in the case, NSO Group, was asked for a comment regarding the hacks and openly admitted that the vulnerability was used exclusively to “fight terror and crime.” Citizen Lab found evidence of the attack being used against al-Jazeera journalists and other targets as well, but had never managed to capture the code for the zero-click attack.
Most security experts agree that the average iPhone, iPad and Mac users are generally safe from such attacks, mainly because they are expensive to develop and are usually designed to target a specific group. In this particular case the iPhone received an instant message via the iMessage app which delivered the nasty payload to the device, allowing NSO’s Pegasus spyware to be installed. Pegasus opens a phone to eavesdropping and remote data theft. It appeared that the device was originally infected in March 2021. NSO Group claims they only target specified individuals by contract with their software, but finding the code in the wild proved otherwise. It has become clear, at least to Citizen Lab, that NSO Group is allowing its spyware to be used against ordinary civilians.
Apple issued a security update claiming “maliciously crafted” PDF files could lead to a hacked device and was aware that the issue may have been exploited, based on the research of Citizen Lab. Apple refused to comment if this was the first patch for a zero-click vulnerability.
This discovery undermines NSO Group’s claims that it only sells its spyware to law enforcement officials for use against criminals and terrorists and audits its customers to avoid abuse. “If Pegasus was only being used against criminals and terrorists, we never would have found this stuff,” said Bill Marczak, researcher at Citizen Lab.
Until next week, stay safe and learn something new.
Scott Hamilton is a Senior Expert in Emerging Technologies at ATOS and can be reached with questions and comments via email to firstname.lastname@example.org or through his website at https://www.techshepherd.org.