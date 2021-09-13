Apple issued a patch Monday to close the exploit discovered by researchers at Citizen Lab who said they found the hack in the iPhone records of a Saudi political activist and alerted the company to the problem.
This is the first time since 2019 that the malicious code used in a Pegasus hack has been discovered by researchers. It offers new insights into the techniques of the company, highlighted in July by the Pegasus Project, a multipart global investigation by The Washington Post and 16 other news organizations.
The researchers declined to name the Saudi activist who was targeted, at the person’s request. They also did not reveal which NSO governmental client they believe deployed Pegasus against this person. They did say that the hacking technique used, which they called FORCEDENTRY, has been active since at least February and can invade Apple iPhones, MacBooks and Apple Watches secretly in what is called a “zero-click attack” — something of a specialty for NSO, which is based in Israel.
The “zero click” capability of Pegasus allows the spyware to install itself on a phone without the owner doing anything, such as clicking a link. The spyware can then turn the phone into a spy device, recording from its cameras and microphones and sending location data, messages, call logs and emails back to NSO’s client.
“We wouldn’t have discovered this exploit if NSO’s tool wasn’t used against somebody they shouldn’t be targeting,” said John Scott-Railton, a researcher for Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs and Public Policy.
He added, “Chat programs are quickly becoming a soft underbelly of device security.”
Apple declined to comment. In a software update Monday, Apple issued a patch aimed at the Pegasus exploit but did not mention NSO Group. Apple, in a post describing the exploit, said: “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”
NSO Group says it licenses its Pegasus spyware tool to dozens of government agencies and police forces around the world to investigate major crimes. But the Pegasus Project investigation and earlier reports by Citizen Lab and Amnesty International found that the tool had also been used to target political dissidents, business leaders, journalists and human rights activists.
NSO Group declined to respond in detail to the Citizen Lab report, saying only in a statement Monday that it “will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime.”
The company has said previously that it investigates when it learns the spyware has been used in a way that violates the company’s contract and that it has canceled client contracts in cases of confirmed Pegasus abuse.
As part of the Pegasus Project, forensic analyses revealed that 67 phones had shown signs of a successful Pegasus infection or intrusion attempt. Amnesty International’s Security Lab, a technical partner of the investigation, said last week that it had confirmed infections or traces of Pegasus spyware in 15 additional phones since the articles were first published in July, including a phone belonging to British human rights activist David Haigh.
The investigation’s discovery of successful Pegasus hacks of iPhones, including some that were recent models with the latest software updates, raised questions about whether the security of Apple’s mobile devices lives up to their reputation as safer and more private than rivals’ — a theme for years of Apple’s marketing. The encrypted chat app iMessage is a particularly popular entry point for sophisticated hacking tools such as the ones deployed by NSO Group; iMessage played a role in 13 of the 23 successful infiltrations detailed in the Pegasus Project investigation.
Ivan Krstic, head of Apple security engineering and architecture, denounced Pegasus in an emailed statement to The Post in July: “Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place.”
Though the exploit revealed Monday uses iMessage, it is unclear whether it is the same one used on targets identified by the Pegasus Project. Companies such as NSO Group often have new exploits ready to go as soon as one is discovered and stopped by Apple — a constant game of whack-a-mole in which hackers have the edge.
Forbidden Stories, a Paris-based journalism nonprofit group, and Amnesty International, a human rights group, helped coordinate the Pegasus Project and run forensic analyses on smartphones.
Monday’s findings by Citizen Lab could renew pressure on NSO Group and Israel, which approves Pegasus export licenses. Israel’s foreign minister, Yair Lapid, said earlier this month the government would review NSO’s work to ensure “nobody is misusing anything that we sell.”
A top adviser to President Biden discussed the spyware during a July meeting with a senior official with Israel’s Defense Ministry, and members of Congress have called on the White House to push forward on regulations, sanctions and other investigations designed to address the spyware’s misuse.