Analysts say Israelis hacking iPhones
Study reveals NSO Group’s continued success in efforts to develop spyware
Canadian researchers working with Apple say Israeli spyware-maker NSO Group deployed at least three new “zero-click” hacks against iPhones last year, finding ways to penetrate some of the device’s latest software.
The attacks struck phones with iOS 15 and early versions of iOS 16 operating software, University of Toronto-based Citizen Lab said in a report Tuesday, and the lab shared its results with Apple, which has fixed the flaws.
It’s the latest sign of ongoing efforts by NSO, which says its products go to licensed government intelligence and law enforcement agencies, to create spyware that penetrates iPhones without users taking any actions. Citizen Lab has detected multiple NSO hacking methods in past years while examining the phones of likely targets, including human rights workers and journalists.
While it’s unsettling to civil rights groups that NSO was able to come up with multiple new means of attack, the moves did not surprise them: “It is their core business,” said Bill Marczak, a senior researcher at Citizen Lab.
“Despite Apple notifying targets, and the Commerce Department putting NSO on a blacklist and the Israeli ministry cracking down on export licenses — which are all good steps and raising costs — NSO for the moment is absorbing those costs,” Marczak said.
Given the financial and legal fights NSO is involved in, Marczak said, it remains an open question how long NSO will keep finding or buying effective software exploits.
As NSO’s prominence has made it a symbol of government-level hacking, its repeated high-profile targeting has exposed it to researchers who are learning more of its tricks.
Armed with new electronic evidence of attacks, Citizen Lab said the group worked with Apple to review old phones and found traces of other attack methods. That deeper knowledge will continue to grow, making future hack-detection efforts easier, according to the group.
NSO spokesman Liron Bruck declined to say whether the company was behind the hacks or whether it had still more attacks that are equally effective. He faulted Citizen Lab for failing to disclose its underlying data.
“NSO adheres to strict regulation, and its technology is used by its governmental customers to fight terror and crime around the world,” Bruck said in an email.
It remains unclear how many phones were hacked with the newly discovered methods, and Citizen Lab declined to identify the ones it knew about.
An Apple spokesman, who provided information on the condition of anonymity, said the threats affected “a very small number of our customers” and that the company will continue to build more defenses into its products.
In one encouraging sign, some of the most recent attacks failed against users who had activated Apple’s recently introduced Lockdown Mode, which stops some communications from unknown callers and reduces the number of programs that are automatically invoked.
In an attack chain that used HomeKit — Apple’s framework for apps that control home lighting, temperature and other smart devices — iPhone users were warned that a hacker had tried to access the program but was blocked, researchers said.
Those warnings stopped showing up after a time, presumably because the attackers figured out how to access the program without triggering the warning or because they abandoned the method. Marczak urged other likely targets to use Lockdown Mode as well.