- An Amnesty report says NSO Group sold spyware then used to target journalists and activists.
- The spyware successfully infected victims’ iPhones by exploiting flaws in iMessage.
- Amnesty said its findings suggest all iPhones and iOS updates are vulnerable to attack.
- See more stories on Insider’s business page.
A forensic analysis by Amnesty International found a type of military-grade spyware was used to successfully break into journalists’ iPhones by sending iMessages that didn’t even need to be clicked.
The spyware is made by Israeli company NSO Group, a private firm that sells advanced hacking tools to clients including governments.
A group of 17 media outlets and Amnesty International published a report Sunday claiming NSO Group’s Pegasus software was used by its clients to hack the phones of at least 37 journalists, activists, politicians, and business executives around the world.
NSO Group strongly denied the report, claiming it contained factual inaccuracies and lacked evidence.
Amnesty International published a forensic methodology report of how it analyzed targets’ phones to discover whether they had been compromised by Pegasus.
The organization found evidence of “zero-click” iMessage attacks being targeted at journalists going back to 2018, with alarming implications for iPhone security. Zero-click attacks don’t require any interaction from the victim to break into a phone.
Amnesty said it analyzed a fully updated iPhone 12 belonging to an Indian journalist which showed signs of “successful compromise” following a zero-click attack as recently as June 16, 2021.
“These most recent discoveries indicate NSO Group’s customers are currently able to remotely compromise all recent iPhone models and versions of iOS,” the report warns.
Bill Marczak, a research fellow at the University of Toronto’s digital surveillance specialists Citizen Lab, said on Twitter the lab likewise found evidence of zero-click message attacks being used to break into the latest iPhones.
Marczak said some of the zero-click attacks exploited Apple’s ImageIO, which allows Apple devices to read and display images.
-Bill Marczak (@billmarczak) July 18, 2021
Amnesty also found evidence of a zero-click attack targeted at an Azerbaijani journalist in 2020 involving Apple Music. Amnesty said its analysis couldn’t ascertain whether Apple Music was used to infect the phone, or if the exploit began with a different app.
Amnesty said it reported its findings to Apple, which said it would investigate the matter.
The organization said NSO Group clients had previously relied on attacks that would send a malicious link to a victim, whose device would become infected once they click on it.
Apple said in a statement that the iPhone remains one of the safest consumer devices.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Apple security engineering chief Ivan Krstić said in a statement, adding that Apple prioritized security updates and that the majority of users were not at risk.
NSO Group said its software is used to fight terrorism and crime. It also said once it sells its products to customers, it does not operate them and has no insight into how they’re deployed. It was not immediately available for comment when contacted by Insider.
NSO Group has been accused previously of facilitating hacks on journalists.
Facebook sued NSO Group in October 2019, saying the company’s tools were used to hack WhatsApp accounts for journalists, politicians, human rights activists, and more. The alleged attack only required hackers to call victims on WhatsApp to infiltrate their phones.