- Dozens of journalists and other employees at Al Jazeera reportedly had their iPhones hacked by foreign governments using a “zero-click” iMessage exploit.
- According to researchers from The Citizen Lab, the governments of Saudi Arabia and the UAE used NSO Group’s Pegasus spyware to spy on the journalists.
- The iMessage exploit doesn’t appear to persist in iOS 14 and beyond.
In part, Apple built its name on privacy and security, but not even the most secure platforms are immune to breaches. On Sunday, the Guardian reported that dozens of iPhones used by Al Jazeera journalists were hacked using spyware that was allegedly purchased from Israel’s NSO Group, which produces it.
Researchers from the University of Toronto’s Citizen Lab believe clients of the Israeli technology firm — including the governments of Saudi Arabia and the United Arab Emirates — hacked their personal phones using “an invisible zero-click exploit” in iMessage that could be exploited up until at least iOS 13.5.1. The Citizen Lab researchers assert that the 36 phones “were a miniscule fraction of the total attacks leveraging this exploit.”
According to the Guardian, the hack was uncovered when Al Jazeera investigative journalist Tamer Almisshal started to worry that his iPhone had been compromised. He got in touch with The Citizen Lab, and they began monitoring his phone. Looking at logs of metadata associated with his internet traffic, they found that “his phone had connected to an NSO server after it was infected with an apparent malicious code delivered through Apple’s servers,” even though he had never clicked on any malicious links. He didn’t even have to do anything wrong to get hacked.
“As we have repeatedly stated we do not have access to any information with respect to the identities of individuals our system is used to conduct surveillance on,” NSO Group told the Guardian. “However, where we receive credible evidence of misuse, combined with the basic identifiers of the alleged targets and timeframes, we take all necessary steps in accordance with our product misuse investigation procedure to review the allegations.”
Meanwhile, Apple said that it could not independently verify the claims made by The Citizen Lab, but confirmed that the attack described in their research note was “highly targeted by nation states” against specific people. Apple also took the opportunity to remind everyone to download the latest version of the software running on their devices. The Citizen Lab says that the iMessage exploit doesn’t work on iOS 14 and above.
“I don’t know how to explain my feeling. It messes with your mind,” said Al Araby presenter Rania Dridi. “Everything, your private life, it’s not private any more. It wasn’t [just] for a month, it was for a year, and they have everything: the phone calls, the pictures, videos, they can turn the microphone on. It makes you feel insecure.”