iPhones vulnerable to hacking tool for months, researchers say

Analysis: NSO Group’s Pegasus spyware could allegedly track locations and access passwords

For almost a year, spyware sold by Israel’s NSO Group was allegedly armed with a computer security super-weapon: a zero-footprint, zero-click, zero-day exploit that used a vulnerability in iMessage to seize control of an iPhone at the push of a button.

That means it would have left no visible trace of being placed on target’s phones, could be installed by simply sending a message that the victim didn’t even need to click on, and worked even on phones that were running the then-latest version of iOS, the operating system for iPhones.

Researchers at the University of Toronto’s Citizen Lab said they discovered the alleged hacking tool, which has been dubbed “Kismet”. If Kismet can be thought of as the Trojan horse, used to bypass the security of an iPhone, then the soldiers inside are another piece of software sold by the NSO Group, called Pegasus, and it is frighteningly powerful, according to claims by Citizen Lab.

“We believe that (at a minimum) this version of the Pegasus spyware had the capability to track location, access passwords and stored credentials on the phone, record audio from the microphone including both ambient ‘hot mic’ recording and audio of encrypted phone calls, and take pictures via the phone’s camera.”

Citizen Lab said that it had found 37 known examples of Kismet being used by NSO clients against journalists covering news in and around the Middle East. But, the researchers said, “given the global reach of NSO Group’s customer base, the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update, we suspect that the infections that we observed were a minuscule fraction of the total attacks used with this exploit”.

In a statement, an Apple spokesperson said: “At Apple, our teams work tirelessly to strengthen the security of our users’ data and devices. iOS 14 is a major leap forward in security and delivered new protections against these kinds of attacks. The attack described in the research was highly targeted by nation states against specific individuals. We always urge customers to download the latest version of the software to protect themselves and their data.”

Although the first alleged attacks using Kismet were this summer, Citizen Lab claimed that logs from compromised phones suggested the same technique, or a related zero-click zero-day exploit, was used as far back as October 2019.

Citizen Labs’ allegations, which Apple said it had been unable to independently verify, suggest the discovery of the most serious hacking effort targeting iOS users since an unrelated widespread campaign was shut down in February 2019.

That campaign, discovered by Google engineers and disclosed last August, used a security flaw in how iPhones visit websites to steal private data like iMessages, photos and GPS location in real time. In a public statement, Apple sought to downplay that attack by noting that it “affected fewer than a dozen websites that focus on content related to the Uighur community”. The company made a similar point about Kismet, noting that the NSO Group’s customers are nation states, and its targets are a limited number of individuals.

Apple has sought to make privacy and security major selling points for its devices. The company prides itself on not harvesting user data for commercial purposes, and makes a point of noting that there has never been any widespread malware in the history of the iPhone. As far back as 2014, the Apple CEO, Tim Cook, was attacking Google’s Android on stage at his company’s worldwide developers’ conference by noting that the platform “dominates” the mobile malware market, calling it a “toxic hellstew of vulnerabilities”.

But in recent years, the gap between Apple and its competitors has closed. And as more security researchers have focused on mobile devices, embarrassing vulnerabilities have been discovered.

Earlier this month, another Google researcher, Ian Beer, disclosed a ferocious “zero-click zero-day” iOS vulnerability that allowed him to take total control of an iPhone simply by being in wifi range of the device. That flaw was fixed by Apple in iOS 13.5.

NSO Group said its products are for tackling “serious organised crime and counter-terrorism” and any evidence of a serious breach of its policies would be investigated. It added: “As we have repeatedly stated, we do not have access to any information with respect to the identities of individuals our system is used to conduct surveillance on.”

Contributor

Alex Hern

The GuardianTramp

Related Content

Article image
iOS flaw lets hackers access iPhones using an iMessage
Users urged to update their iPhone, iPad, Mac, Apple TV and Apple Watch to prevent attackers taking over devices with malicious images

Samuel Gibbs

22, Jul, 2016 @9:00 AM

Article image
Apple fixes HomeKit bug that allowed remote unlocking of users' doors
Security flaw in latest iPhone and iPad iOS 11.2 software meant hackers could potentially gain remote control of lights, cameras and locks in smart homes

Samuel Gibbs

08, Dec, 2017 @10:41 AM

Article image
iPhone 6S security hole lets attackers access contacts and photos without passcode
Security hole allows attackers to quickly access personal information on a locked iPhone 6S or 6S Plus using Siri, Twitter and 3D Touch

Samuel Gibbs

05, Apr, 2016 @10:02 AM

Article image
Your iPhone's password demands aren't just annoying. They're a security flaw
A developer has warned it is possible to create a phishing attack based on a fake sign-in request for Apple ID credentials

Alex Hern

12, Oct, 2017 @11:17 AM

Article image
'Jailbreak' for iPhones wins $1m bounty
Computer exploit merchant Zerodium says it paid research team that worked out how to ‘jailbreak’ latest version of Apple’s mobile operating system, iOS 9.1.

Alex Hern

03, Nov, 2015 @4:13 PM

Article image
Wi-Fi hack creates 'no iOS zone' that cripples iPhones and iPads
The only solution for users of Apple tech? Leave the affected area immediately

Alex Hern

22, Apr, 2015 @3:01 PM

Article image
iPhone text message bug can crash Apple Watch, iPad and Mac too
Bug in Apple’s Messages that allows anyone to crash someone’s iPhone with a text can also nuke an Apple Watch, iPad or Mac

Samuel Gibbs

28, May, 2015 @10:22 AM

Article image
Apple blocks malicious software Wirelurker on iPhones
The Cupertino firm says it has blocked the malware, the first to infect iPhones and iPads that have not been jailbroken. By Alex Hern

Alex Hern

07, Nov, 2014 @12:16 PM

Article image
Prank crashes iPhones with rainbow emoji messages
Jokers are exploiting a bug in iOS and are sending messages stuffed with 🌈 emojis which cause recipients’ iPhones or iPads to freeze

Samuel Gibbs

18, Jan, 2017 @1:09 PM

Article image
iOS 13: Apple launches faster iPhone software with more privacy
Update opens apps twice as fast, includes Sign in with Apple to protect personal data

Samuel Gibbs

03, Jun, 2019 @6:26 PM