The Washington Post

Apple issued a software update after researcher­s found a new exploit from NSO Group’s Pegasus surveillan­ce tool targeting iphones and other Apple devices.

- BY CRAIG TIMBERG, DREW HARWELL AND REED ALBERGOTTI craig.timberg@washpost.com drew.harwell@washpost.com reed.albergotti@washpost.com

Spyware researcher­s have captured what they say is a new exploit from NSO Group’s Pegasus surveillan­ce tool targeting iphones and other Apple devices through imessage, in yet another sign that chat apps have become a popular way to hack into the devices of political dissidents and human rights activists.

Apple issued a patch Monday to close the exploit discovered by researcher­s at Citizen Lab who said they found the hack in the iphone records of a Saudi political activist and alerted the company to the problem.

This is the first time since 2019 that the malicious code used in a Pegasus hack has been discovered by researcher­s. It offers new insights into the techniques of the company, highlighte­d in July by the Pegasus Project, a multipart global investigat­ion by The Washington Post and 16 other news organizati­ons.

The researcher­s declined to name the Saudi activist who was targeted, at the person’s request. They also did not reveal which NSO government­al client they believe deployed Pegasus against this person. They did say that the hacking technique used, which they called FORCEDENTR­Y, has been active since at least February and can invade Apple iphones, Macbooks and Apple Watches secretly, in what is called a “zero-click attack” — something of a specialty for NSO, which is based in Israel.

The “zero click” capability of Pegasus allows the spyware to install itself on a phone without the owner doing anything, such as clicking a link. The spyware can then turn the phone into a spy device, recording from its cameras and microphone­s and sending location data, messages, call logs and emails back to NSO’S client.

“We wouldn’t have discovered this exploit if NSO’S tool wasn’t used against somebody they shouldn’t be targeting,” said John Scott-railton, a researcher for Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs and Public Policy.

He added, “Chat programs are quickly becoming a soft underbelly of device security.”

In a software update Monday, Apple issued a patch aimed at the Pegasus exploit but did not mention NSO Group. Apple, in a post describing the exploit, said: “Processing maliciousl­y crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”

In an emailed statement, Ivan Krstic, head of Apple security engineerin­g and architectu­re, thanked Citizen Lab for “successful­ly completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”

NSO Group says it licenses its Pegasus spyware tool to dozens of government agencies and police forces around the world to investigat­e major crimes. But the Pegasus Project investigat­ion and earlier reports by Citizen Lab and Amnesty Internatio­nal found that the tool had also been used to target political dissidents, business leaders, journalist­s and human rights activists.

NSO Group declined to respond in detail to the Citizen Lab report, saying in a statement Monday only that it “will continue to provide intelligen­ce and law enforcemen­t agencies around the world with life saving technologi­es to fight terror and crime.”

The company has said previously that it investigat­es when it learns the spyware has been used in a way that violates the company’s contract and that it has canceled client contracts in cases of confirmed Pegasus abuse.

As part of the Pegasus Project, Amnesty Internatio­nal’s Security Lab, a technical partner of the investigat­ion, examined 67 phones whose numbers appeared on a list to which Amnesty and a French journalism nonprofit, Forbidden Stories, had gained access. Of those, 37 showed signs of a successful Pegasus infection or an intrusion attempt.

Since publicatio­n, Amnesty’s Security Lab has confirmed infections or traces of Pegasus spyware on 15 additional phones, including a phone belonging to British human rights activist David Haigh. At least 10 of those phones were found on the Forbidden Stories list.

The investigat­ion’s discovery of successful Pegasus hacks of iphones, including some that were recent models with the latest software updates, raised questions about whether the security of Apple’s mobile devices lives up to their reputation as safer and more private than rivals’ — a theme for years of Apple’s marketing.

The encrypted chat app imessage was a particular­ly popular entry point for the intrusions; imessage played a role in 13 of the 23 successful infiltrati­ons detailed in the Pegasus Project investigat­ion.

Though the exploit revealed Monday uses imessage, it is unclear whether it is the same one used on targets identified by the Pegasus Project. Companies such as NSO Group often have new exploits ready to go as soon as one is discovered and stopped by Apple — a constant game of whack-a-mole in which hackers have the edge.

Monday’s findings by Citizen Lab could renew pressure on NSO Group and Israel, which approves Pegasus export licenses. Israel’s foreign minister, Yair Lapid, said earlier this month the government would review NSO’S work to ensure “nobody is misusing anything that we sell.”

A top adviser to President Biden discussed the spyware during a July meeting with a senior official with Israel’s Defense Ministry, and members of Congress have called on the White House to push forward on regulation­s, sanctions and other investigat­ions designed to address the spyware’s misuse.

 ?? JOHN MACDOUGALL/AGENCE FRANCE-PRESSE/GETTY IMAGES ?? An Apple mural ad is painted in Berlin in October 2020. Apple issued a security patch for iphones and other devices Monday after Citizen Lab researcher­s said they found an exploit from NSO Group’s Pegasus surveillan­ce tool targeting Apple products via the imessage app.
JOHN MACDOUGALL/AGENCE FRANCE-PRESSE/GETTY IMAGES An Apple mural ad is painted in Berlin in October 2020. Apple issued a security patch for iphones and other devices Monday after Citizen Lab researcher­s said they found an exploit from NSO Group’s Pegasus surveillan­ce tool targeting Apple products via the imessage app.

Newspapers in English

Newspapers from United States