Apple Patches Zero-Click iMessage Hack Used By NSO

Apple has released an urgent patch to fix a major vulnerability in iMessage that was being used to target iPhone users. 

Security researchers found the vulnerability when they were investigating the potential hack of a Saudi activist’s iPhone, according to a new report by Citizen Lab, a digital rights group housed at the University of Toronto’s Munk School that has investigated NSO spyware for years. 

The researchers told Motherboard that they believe the attack was carried out by a customer of NSO, the infamous Israeli company that sells spyware to dozens of governments all over the world. The hack relied on an unknown vulnerability—also known as a zero-day—in iMessage, which allowed the hackers to take over a target’s phone by sending them a message that was effectively invisible. These kinds of attacks are called zero-click exploits, as they don’t require the victim to click on anything. 

Citizen Lab wrote in a blog post that it believes this zero-day was being used since at least February of this year.

Apple declined to comment. The company, however, credited Citizen Lab in a security update it published on Monday. An NSO spokesperson wrote in an email that “NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime.”

“Popular chat programs like iMessage are currently the royal road for nation state groups, and mercenary hackers to target phones.”

This discovery will once again fuel the debate over whether iPhones have become too vulnerable to government hackers using sophisticated spyware, such as the one made by NSO. 

“What this really highlights is that popular chat programs like iMessage are currently the royal road for nation state groups, and mercenary hackers to target phones. Ubiquitous chat and messaging apps are a serious attack surface. And it’s time for them to get a lot more secure,” John Scott-Railton, a senior researcher at Citizen Lab, told Motherboard in a phone call. 

This discovery also shows that it’s becoming harder for researchers to find these types of attacks.

“The traditional way that we track this stuff is by having targets forward us suspicious things that they notice for analysis. But obviously, the target can’t notice anything in this zero click case. So it’s an example of the spyware industry increasingly going dark,” Bill Marczak, another Citizen Lab researcher who investigated this attack, told Motherboard in a phone call.

Do you research vulnerabilities and exploits for iPhones? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wire/Wickr @lorenzofb, or email lorenzofb@vice.com.

In July, a consortium of 17 media organizations, in collaboration with Amnesty International and non-profit Forbidden Stories, reported that they had obtained a list of 50,000 phone numbers targeted by several NSO government customers. A forensic analysis done by Amnesty International found evidence of successful or attempted hacks on 34 phones. 

This discovery comes months after Apple implemented a security feature that was supposed to make it harder to use precisely these kinds of hacks against iPhones, which Motherboard reported in February of this year. 

Citizen Lab detailed in its blog post how it found the zero-day. In the post, researchers wrote that they were analyzing the iPhone of a Saudi activist and determined that it had been hacked with NSO’s spyware Pegasus. Researchers told Motherboard that they attributed the attack to NSO by finding evidence that linked it to the hack of 36 journalists at Al-Jazeera, which Citizen Lab revealed in December of 2020. 

The researchers said that the result of the attack was invisible to the user, but they were able to find evidence that showed that iMessage had saved several attachments that appeared to be GIF files, but were actually PDF and PSD files. The evidence was stored in the activists’ iPhone crash logs, which are details of recent crashes of the phone, which sometimes can sometimes provide indications of a hack.

“Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple wrote in the patch’s release notes. 

This new discovery will undoubtedly reignite the debate over whether Apple is doing enough to protect users against these kinds of attacks. 

“It’s critically important that anybody who makes ubiquitous chat programs makes sure that those programs minimize the attack surface that those programs present. Otherwise, they will remain an irresistible target for nation state and mercenary hacking operations,” Scott-Railton said.

Security experts have recently criticized Apple for the recent slew of discovered hacks. 

Claudio Guarnieri, the head of the Security Lab at Amnesty International which did the Pegasus Project investigation, wrote in an recent op-ed that “perhaps next fall, instead of a phone with obnoxious amounts of cameras and pixels, I would welcome a more affordable, accessible, and secure device we could have some confidence in.” 

This story has been updated to add NSO’s statement.

UPDATE, Sept. 14 a.m. ET: After the story was published, Apple sent the following statement by Ivan Krstić, head of Apple Security Engineering and Architecture:

“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Subscribe to our cybersecurity podcast CYBER, here.