Zero-click iMessage exploit used to hack journalists
Security researchers have uncovered a surveillance campaign aimed at journalists in the Middle East, claiming that a zero-click iMessage exploit was used to hack their iPhones.
The attack on Al Jazeera
Analysts at Citizen Lab, an interdisciplinary research group based out of the University of Toronto, say that 36 employees of the Qatar-based Al Jazeera news agency were targeted. The victims of the attack included reporters, anchors, producers, and executives.
The researchers say that the hack was accomplished using Pegasus spyware, a commercial spyware tool produced by the Israeli cybersecurity firm NSO Group. The infection vector for the spyware was a so-called zero-click exploit of a previously unknown iMessage vulnerability. Zero-click exploits are relatively rare — and dangerous — because they don’t require any user interaction in order to succeed.
Who was behind the hack?
In their report, Citizen Lab says that they have identified at least four distinct groups of servers involved in monitoring the compromised iPhones, and that they are fairly confident that two of them were controlled by the governments of Saudi Arabia and the United Arab Emirates. This makes sense in terms of motives, since Al Jazeera is often critical of regional powers in the Mideast, and their reporting has drawn the ire of both Saudi Arabia and the UAE in the past.
NSO Group maintains that their spyware is only sold to governments and law enforcement agencies for use in legitimate criminal and counterterrorism investigations, and that they have no control over which specific individuals their clients target.
However, human rights advocates point out that their spyware frequently seems to end up in the hands of autocratic regimes, and has already been implicated in attacks on journalists, dissidents, and pro-democracy groups in multiple countries.
Big Tech seems to agree: In a recent joint court filing, Microsoft, Google, and Cisco call NSO Group’s spyware “dangerous”, and urge government officials to hold the firm to account using U.S. anti-hacking laws.
Is my iPhone safe?
If you’ve already updated to iOS 14, you should be OK: the new OS contains features that, according to the researchers at Citizen Lab, break the zero-click exploit used in the Al Jazeera attack.
If you’re using iOS 13 or earlier, you may be at risk. While most users are unlikely to be targeted by nation states using commercial-grade spyware, it’s important to remember that the iMessage vulnerability used by NSO Group is potentially exploitable by others as well. If you haven’t yet updated to iOS 14, you should do this now if possible (and given the new privacy features of iOS 14, you may want to do so for other reasons as well!).
To find out more about NSO Group’s activities, have a listen to Checklist 138 (segment two), where we talk about their involvement in a WhatsApp compromise, as well as Checklist 171 (segment one), where we discuss their alleged role in the hack of Amazon CEO Jeff Bezos.
For more perspective on the issue of government spying and monitoring, check out our exclusive interview with Karen Gullo of Electronic Frontier Foundation.