A suspected state-sponsored attack saw dozens of iPhones hacked by exploiting an iMessage vulnerability that remained unpatched for around a year. The attack was a so-called zero-click one because it didn’t require the victims to take any action: the hack was enabled simply by receiving a text message.

The victims of the attack were Al Jazeera journalists, and is believed to have been carried out on behalf of Saudi Arabia and the United Arab Emirates governments, using spyware developed by Israeli company NSO Group. It is suspected that these journalists are a ‘minuscule’ fraction of the iPhones hacked using this method …

The Guardian reports.

Spyware sold by an Israeli private intelligence firm was allegedly used to hack the phones of dozens of Al Jazeera journalists in an unprecedented cyber-attack that is likely to have been ordered by Saudi Arabia and the United Arab Emirates, according to leading researchers.

In a stunning new report, researchers at Citizen Lab at the University of Toronto said they discovered what appears to be a major espionage campaign against one of the world’s leading media organisations, which is based in Qatar and has long been a thorn in the side of many of the region’s autocratic regimes […]

Researchers at Citizen Lab said the apparent malicious code they discovered, which they claim is used by clients of Israel’s NSO Group, made “almost all” iPhone devices vulnerable if users were using an operating system that pre-dated Apple’s iOS 14 system, which appears to have fixed the vulnerability.

NSO Group, whose spyware is alleged to have been used in previous surveillance campaigns in Saudi Arabia and the UAE, has said that its software is only meant to be used by government clients to track down terrorists and criminals.

Citizen Lab explained more.

In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked.

The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11.

Based on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.

The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.

We do not believe that KISMET works against iOS 14 and above, which includes new security protections. All iOS device owners should immediately update to the latest version of the operating system.

Given the global reach of NSO Group’s customer base and the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update, we suspect that the infections that we observed were a miniscule fraction of the total attacks leveraging this exploit […]

Threat actors may have been aided in their iMessage attacks by the fact that certain components of iMessage have historically not been sandboxed in the same way as other apps on the iPhone.

The attack was discovered when one of the journalists suspected his phone had been hacked, and he approached Citizens Lab for help. With his agreement, they installed a VPN app that allowed them to monitor inbound and outbound communications. This showed that an exploit was delivered by Apple servers to iMessage, which then had the phone connect to a server hosting the NSO Group’s Pegasus spyware.

It should be emphasized that these were highly targeted attacks, and that ordinary iPhone users were exceedingly unlikely to be placed at risk by this vulnerability even prior to iOS 14. All the same, it is always good security practice to keep your devices updated with the latest versions of their operating systems.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy's favorite gear