Zero-Click on-iMessage-Zero-Day to hack the iPhones of 36 journalists


Three dozen journalists hacked their iPhones in July and August using a zero-day iMessage exploit that did not require victims to take any action to become infected.

The exploit and installed payload were developed and sold by the NSO Group. This emerges from a report released on Sunday by Citizen Lab, a group at the University of Toronto that investigates dissidents and journalists and uncovered hacks. NSO is a maker of offensive hacking tools that have come under fire in recent years for selling their products to groups and governments with poor human rights records. NSO has denied some of the conclusions in the Citizen Lab report.

The attacks infected the targets' phones with Pegasus, an NSO-made implant for iOS and Android that has full functionality, including recording audio and phone calls in the area, taking pictures, and accessing passwords and saved credentials . The hacks exploited a critical vulnerability in the iMessage app that Apple researchers were not aware of at the time. Apple has since fixed the bug with the rollout of iOS 14.

More successful, more covert

In recent years, NSO exploits have increasingly required no user interaction, e.g. B. visiting a malicious website or installing a malicious app. One reason these so-called zero-click attacks are effective is because they have a much higher chance of success because they can hit targets even if the victims have significant training in preventing such attacks.

According to Facebook, attackers exploited a vulnerability in the company's WhatsApp messenger in 2019 to target 1,400 iPhones and Android devices with Pegasus. Both Facebook and outside researchers said the exploit worked simply by visiting a target device. The user did not have to answer the device, and once it was infected, the attackers were able to delete any logs showing that a call attempt was made.

Another important benefit of zero-click exploits is that they are much more difficult for researchers to track later.


"The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a wider industry-wide shift towards more sophisticated, less detectable surveillance methods," said Citizen Lab researchers Bill Marczak, John Scott-Railton, Noura Al – Jizawi, Siena Anstis and Ron Deibert wrote. "While this is a predictable technological advancement, it increases the technological challenges that both network administrators and investigators face."

Elsewhere in the report, the authors wrote:

More recently, the NSO Group is shifting towards zero-click exploits and network-based attacks that allow their government customers to break into phones with no target interaction and no visible trace. The 2019 WhatsApp breach, which saw at least 1,400 phones attacked via an exploit sent via a missed voice call, is an example of such a shift. Fortunately, WhatsApp has notified targets in this case. However, these zero-click attacks are more difficult for researchers to track as targets may not notice anything suspicious on their phone. Even if you observe something like "strange" calling behavior, the event may be temporary and leave no trace on the device.

The shift towards zero-click attacks by an industry and by customers who are already secret increases the likelihood that abuse will go undetected. Even so, we continue to develop new technical means to track surveillance abuses, such as new network and device analysis techniques.

Citizen Lab said it concluded with medium confidence that some of the attacks detected were supported by the United Arab Emirates government and other attacks by the Saudi Arabia government. The researchers suspect that the 36 victims they identified – including 35 journalists, producers, presenters and executives at Al-Jazeera and a journalist at Al Araby TV – are only a small fraction of the campaign's target audience.

NSO answers

In a statement, an NSO spokesman wrote:

This memo is again based on speculation and lacks evidence of any association with NSO. Instead, assumptions are made that are strictly consistent with the Citizen Lab agenda.

NSO provides products that only government law enforcement can use to counter serious organized crime and counterterrorism, and as stated in the past, we do not operate them.
However, when we receive credible evidence of abuse with enough information to enable us to assess that credibility, we will take whatever steps are necessary in accordance with our investigative process to review the allegations.

Unlike Citizen Lab, which has only "medium confidence" in its own work, we know that our technology has saved the lives of innocent people around the world.

We wonder if Citizen Lab understands that by pursuing this agenda they are providing a playbook on how to avoid law enforcement to irresponsible corporate actors as well as terrorists, pedophiles and drug cartel leaders.

NSO will continue to work tirelessly to make the world a safer place.

As already mentioned, zero-click zero-days are difficult or impossible to prevent, even for users with extensive security training. As powerful as these exploits are, their high cost and difficulty in obtaining them mean that they can only be used against a small population of people. This means that the vast majority of mobile device users are unlikely to ever be attacked by such attacks.


In a statement, Apple officials wrote, “At Apple, our teams work tirelessly to improve the security of our users' data and devices. iOS 14 is a big leap in security and offers new protection against such attacks. The attack described in the study was directed to a large extent against certain individuals by nation states. We always urge our customers to download the latest version of the software to protect themselves and their data. "

An Apple spokesman said the company has not been able to independently verify the Citizen Lab's results.

Researchers have yet to determine the exact iOS vulnerability used in these attacks. However, according to Citizen Lab, the exploits won't work against iOS 14, which was released in September. Anyone still using an older version should upgrade.


Steven Gregory