iPhone hack is sophisticated spying tech used by ‘autocratic’ governments, say researchers

A serious iPhone software vulnerability has been traced to a firm accused of providing spy tech to autocratic governments. Here’s what you need to know. 

While analyzing the phone of a Saudi activist, researchers at Citizen Lab discovered a so-called “zero-day zero-click exploit” targeting Apple’s iMessage. The exploit is used against Apple iOS, MacOS and WatchOS devices, Citizen Lab said.

Spyware can turn a phone into a spying device that grabs geographical location, call logs, contact lists, and even photos, according to Kaspersky Lab.

The company used the vulnerability to infect the latest Apple devices with Pegasus spyware, which Citizen Lab dubs FORCEDENTRY. It has been in use since at least February 2021, Citizen Lab said.

Zero-day and zero-click makes it especially malicious, Hank Schless, senior manager, Security Solutions at Lookout, a San Francisco, Calif.-based cloud security company, explained to FOX Business.

“A zero-day vulnerability is one that either hasn’t been discovered or, more importantly, is known but there hasn’t been a fix issued for it yet,” Schless said. Throw zero-click on top of that and the exploit becomes especially pernicious because the user doesn’t have to do anything, according to Schless. Typically, a user must click on a link, download a file, visit a website, or install an application to activate malware.

Apple was quick to respond and issued a fix on September 13 for the iPhone and iPad. The fixes are now available as security updates for iOS and iPadOS. Apple described the vulnerability as “a maliciously crafted PDF [that] may lead to arbitrary code execution.”

“We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly,” Ivan Krstić, head of Apple Security Engineering and Architecture, said in a statement to Fox Business. 

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Krstić said, adding that “they are not a threat to the overwhelming majority of our users.” 

Pegasus ‘spyware’

Citizen Lab accuses NSO of “selling technology to governments that will use the technology recklessly in violation of international human rights law.” 

“Autocratic governments” are willing to pay “huge sums” to hack their critics, Citizen Lab said, adding that “mercenary spyware companies devote substantial resources to identifying software vulnerabilities on widely used applications and then package those exploits to eager government clients, creating a highly lucrative but widely abused commercial surveillance marketplace.” 

A July report from Amnesty International made similar accusations.

“NSO Group claims that its Pegasus spyware is only used to ‘investigate terrorism and crime’ and ‘leaves no traces whatsoever.’ This Forensic Methodology Report shows that neither of these statements are true,” Amnesty International said.

A July report in the Washington Post said NSO’s “military-grade spyware” was used to hack the smartphones belonging to journalists, human rights activists, business executives and “two women close to murdered Saudi journalist Jamal Khashoggi.”

The phones were on a list of more than 50,000 numbers that are “concentrated” in countries that engage in citizen surveillance and known to be clients of NSO Group, the report said.

NSO states on its website that it develops “best-in-class technology to help government agencies detect and prevent terrorism and crime.”

“Our regular detractors have no real solution to the security challenges of the 21st century. Their self-aggrandizing and misguided campaigning is a boon to terrorists, criminals and pedophiles,” NSO Group said in a statement sent to Fox Business.

“Meanwhile, NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime,” NSO said.