Spyware researchers have captured what they say is a new exploit from NSO Group’s Pegasus surveillance tool targeting iPhones and other Apple devices through iMessage, in yet another sign that chat apps have become a popular way to hack into the devices of political dissidents and human rights activists.
Apple issued a patch Monday to close the exploit discovered by researchers at Citizen Lab who said they found the hack in the iPhone records of a Saudi political activist and alerted the company to the problem.
This is the first time since 2019 that the malicious code used in a Pegasus hack has been discovered by researchers. It offers new insights into the techniques of the company, highlighted in July by the Pegasus Project, a multipart global investigation by The Washington Post and 16 other news organizations.
The researchers declined to name the Saudi activist who was targeted, at the person’s request. They also did not reveal which NSO governmental client they believe deployed Pegasus against this person. They did say that the hacking technique used, which they called FORCEDENTRY, has been active since at least February and can invade Apple iPhones, MacBooks and Apple Watches secretly in what is called a “zero-click attack” — something of a specialty for NSO, which is based in Israel.
The “zero click” capability of Pegasus allows the spyware to install itself on a phone without the owner doing anything, such as clicking a link. The spyware can then turn the phone into a spy device, recording from its cameras and microphones and sending location data, messages, call logs and emails back to NSO’s client.
“We wouldn’t have discovered this exploit if NSO’s tool wasn’t used against somebody they shouldn’t be targeting,” said John Scott-Railton, a researcher for Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs and Public Policy.
He added, “Chat programs are quickly becoming a soft underbelly of device security.”
In a software update Monday, Apple issued a patch aimed at the Pegasus exploit but did not mention NSO Group. Apple, in a post describing the exploit, said: “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”
In an emailed statement, Ivan Krstić, head of Apple security engineering and architecture, thanked Citizen Lab for "successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix,” the statement said. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
NSO Group says it licenses its Pegasus spyware tool to dozens of government agencies and police forces around the world to investigate major crimes. But the Pegasus Project investigation and earlier reports by Citizen Lab and Amnesty International found that the tool had also been used to target political dissidents, business leaders, journalists and human rights activists.
NSO Group declined to respond in detail to the Citizen Lab report, saying only in a statement Monday that it “will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime.”
The company has said previously that it investigates when it learns the spyware has been used in a way that violates the company’s contract and that it has canceled client contracts in cases of confirmed Pegasus abuse.
As part of the Pegasus Project, Amnesty International’s Security Lab, a technical partner of the investigation, examined 67 phones whose numbers appeared on a list to which Amnesty and a French journalism nonprofit, Forbidden Stories, had gained access. Of those, 37 showed signs of a successful Pegasus infection or an intrusion attempt.
Since publication, Amnesty’s Security Lab has confirmed infections or traces of Pegasus spyware on 15 additional phones, including a phone belonging to British human rights activist David Haigh. At least 10 of those phones were found on the Forbidden Stories list.
The investigation’s discovery of successful Pegasus hacks of iPhones, including some that were recent models with the latest software updates, raised questions about whether the security of Apple’s mobile devices lives up to their reputation as safer and more private than rivals’ — a theme for years of Apple’s marketing.
The encrypted chat app iMessage was a particularly popular entry point for the intrusions; iMessage played a role in 13 of the 23 successful infiltrations detailed in the Pegasus Project investigation.
Though the exploit revealed Monday uses iMessage, it is unclear whether it is the same one used on targets identified by the Pegasus Project. Companies such as NSO Group often have new exploits ready to go as soon as one is discovered and stopped by Apple — a constant game of whack-a-mole in which hackers have the edge.
Monday’s findings by Citizen Lab could renew pressure on NSO Group and Israel, which approves Pegasus export licenses. Israel’s foreign minister, Yair Lapid, said earlier this month the government would review NSO’s work to ensure “nobody is misusing anything that we sell.”
A top adviser to President Biden discussed the spyware during a July meeting with a senior official with Israel’s Defense Ministry, and members of Congress have called on the White House to push forward on regulations, sanctions and other investigations designed to address the spyware’s misuse.