NSO's Pegasus spyware found new ways to hack iPhones
NSO's Pegasus spyware found new ways to hack iPhones
Citizen Lab at the University of Toronto found that phones of Mexican human rights activists were infected with Pegasus by exploiting vulnerabilities in Apple’s operating system
Israel-based NSO’s Pegasus spyware has developed three new ways to hack into iPhones by exploiting vulnerabilities in the latest version of Apple's operating system, says a report by Citizen Lab, an interdisciplinary laboratory based at the University of Toronto.
Citizen Lab’s report found that iPhones belonging to several members of Mexican civil society, including two human rights activists, were infected with Pegasus. One infected device belongs to Jorge Santiago Aguirre Espinoza, the director of human rights organization Centro PRODH. Aguirre was previously the target of an attempted Pegasus infection in 2017. According to the report’s findings, the spyware was active on his device between June 22 and July 13, 2022.
Another infected device belonged to another employee of the organization, Maria Luisa Aguillar Rodriguez, whose device was previously targeted on June 23, 2022. Forensic analysis of these devices identified indicators of three new zero-click exploitations that exploit security vulnerabilities in a variety of iPhone apps and features.
These findings prove that U.S. sanctions against the company were ultimately unsuccessful. Citizen Lab shared their findings with Apple, which made several changes to address the issue in the iOS 16.3.1 update, released in February of this year. Apple is already in the midst of a high-profile lawsuit, filed following the zero-click attack identified by Citizen Lab in September 2021.
In November 2021, NSO was blacklisted by the U.S. Department of Commerce, preventing U.S. companies from conducting business with the spyware developer without receiving special permission from the department. The goal of the blacklist was to reduce the company's ability to conduct business, and was largely successful. According to reports it caused NSO to encounter major financial difficulties.
Another goal was to prevent the company from gaining access to devices and operating systems of U.S. companies, including Apple, Microsoft and Intel, and thus prevent it from exploiting loopholes to develop its spyware.
Citizen Lab's report proves that this was goal was ultimately not achieved. The report found that throughout 2022, NSO successfully exploited at least three zero-click loopholes (loopholes that do not require active action on the part of the victim) in iOS 15 and 16. iOS 16 is the latest version of the operating system and was launched in the fall of 2022.
"I don't think there was a real expectation that being on the blacklist would prevent NSO from accessing Apple's iPhones or software," Dr. Bill Marczak of Citizen Lab told Calcalist. "Anyone can easily go to an Apple store and buy a phone, or download the updated software from Apple, without revealing who his employer is. But that doesn't mean the move failed. The way I see it, it led the Israeli government to limit the export of spyware, which made it difficult for companies in the industry to acquire new customers." Dr. Marczak led the compilation of Citizen Lab’s report, alongside John Scott-Railton, Bahr Abdul-Razzak and Ron Deibert.
The latest vulnerability and the one which researchers possess the most information on is “PWNYOURHOME,” which was detected in iOS 15 and 16. "This is a two-step breach," Dr. Marczak said. "The first step targets the HomeKit functionality built into phones. We don't know exactly what HomeKit was used for, but we saw evidence that the attackers sent messages through it to the victim, which were decoded by his phone. After that, the attackers targeted iMessage. When the victim's phone decoded the image, it ran malicious code. The attackers were able to break through protections and install Pegasus on the phone."
In the case of PWNYOURHOME, the attacked device was able to detect the exploitation in real time, thanks to the Lockdown Mode feature. This feature, launched last year, is intended for users who fear they are under attack from spyware such as Pegasus. When activated, many device capabilities, including those especially vulnerable to exploitation by spyware, are limited. Devices attacked through this vulnerability while in Lockdown Mode display a notification about the intrusion attempt.
A second zero-click, ‘FINDMYPWN,’ was identified in the report. It was deployed against iOS 15 beginning in June, 2022. It also appears to be a two-step attack, in this case, using the Find My feature instead of HomeKit followed by iMessage.
The least information is known about the third zero-click, ‘LATENTIMAGE,’ which was found to be active in January 2022 on iOS 15. “We saw that the Find My app crashed when the phone was hacked, but we saw no evidence of a second step through iMessage. The Find My and HomeKit applications are built-in applications. Even if the user doesn't use them, they are installed on the phone and run on it," Dr. Marczak said.
In response to Citizen Lab’s report, NSO commented that Citizen Lab has repeatedly published reports that failed to determine the technology in use and "refused to share its underlying data."
"NSO adheres to strict regulation, and its technology is used by its governmental customers to fight terror and crime around the world," they added.