It appears that 36 Al Jazeera journalists reportedly had their personal iPhones hacked using spyware created by NSO Group, a sketchy Israeli security firm. The terrifying thing is the zero-day, zero-click exploit, which abuses a vulnerability in iMessage, went undetected for about a year — and likely originated from Saudi Arabia and the United Arab Emirates.
The news comes via a disturbing report from the University of Toronto’s Citizen Lab. The lengthy report dives deep into the background of NSO Group, which is known for selling surveillance tech to governments. You might remember the group from its link to a massive WhatsApp breach in 2019, which infected more than 1,400 phones with malware. (Facebook is currently suing NSO Group over that particular incident.) NSO Group is also reportedly being investigated by the FBI.
In this case, the phones were hacked using a program called KISMET, which utilised NSO Group’s Pegasus software, as well as an “invisible zero-click exploit in iMessage.” KISMET was a zero-day, zero-click exploit, which means that Apple wasn’t aware that it existed and the journalists didn’t have to click anything — a bad link, for example — to have their phones infected. According to the report, the hack was effective against the iPhone 11, as well as iOS 13.5.1.
“Since at least 2016, spyware vendors appear to have successfully deployed zero-click exploits against iPhone targets at a global scale,” the Citizen Lab report reads. “Several of these attempts have been reported to be through Apple’s iMessage app, which is installed by default on every iPhone, Mac, and iPad.”
In total, Citizen Lab identified 36 Al Jazeera journalists who had their phones hacked by four NSO Group operators. The group said it concluded that at least two of the operators were acting on the behalf of Saudi Arabia and the United Arab Emirates. While most of the journalists requested anonymity, two allowed their names to be published in the report. Tamer Almisshal, an investigative journalist for Al Jazeera, hosts a show that deals with politically contentious topics and initially contacted Citizen Lab when he began to suspect his phone had been compromised. Meanwhile, Rania Dridi is a London-based journalist with Al Araby, and told the Guardian that she believes she may have been targeted because she speaks about sensitive topics on her show, including women’s rights, and is a “close personal associate” with “an outspoken critic of the Saudi and UAE governments.” For context, neither Saudi Arabia nor the UAE is a big fan of the Al Jazeera network. In 2017, both countries (along with Bahrain and Egypt) demanded that Qatar shut down the network in exchange for lifting sanctions against the country.
In statements provided to the Guardian and Business Insider, NSO Group claimed that its software helps governments to “tackle serious organised crime and counterterrorism only” and that it does not operate such programs. Meanwhile, Citizen Lab says it reported its findings to Apple. For its part, Apple also told both Engadget and Business Insider that while it couldn’t verify Citizen Lab’s report, this particular attack was “highly targeted by nation-states against individuals” and urged customers to stay current and download the latest iOS software.
Given that zero-day, zero-click exploits are hard to detect and the fact that it appears nearly all iPhones prior to iOS 14 were vulnerable to the hack, Citizen Labs notes that it’s possible that this only a mere fraction of total cases involving this exploit. Thankfully, Citizen Labs says it doesn’t appear that the KISMET exploit works in iOS 14, due to stronger security features.
If you haven’t already updated your iPhone to iOS 14, you should get on it. Just because the average consumer may not have attracted the ire of a foreign nation-state, doesn’t mean other bad actors aren’t keen on using the same exploit. In general, it’s good security hygiene to keep your software current — even if it sometimes borks your favourite programs, or if you simply hate iOS 14’s widgets. Don’t be a dummy — update your phone.