How a software glitch in an activist’s iPhone was exposed to the NSO Team and hacked around the world
A single activist who has helped turn the tide against NSO Group, one of the world’s most sophisticated spyware companies, is now facing a barrage of legal action and scrutiny in Washington over its claims. debunking new allegations that their software has been used to hack government officials and dissidents around the world.
It all started with a glitch in her software Iphone.
An unusual error in By NSO Spyware allowed Saudi women’s rights activist Loujain al-Hathloul and privacy researchers to uncover a barrage of evidence that the Israeli spyware maker helped hacked her iPhone, according to six people involved in the incident. A mysterious fake image file in her phone, mistakenly left behind by spyware, has surprised security researchers.
The discovery on al-Hathloul’s phone last year ignited a storm of government and legal action that put the NSO on the defensive. The first time the hack was discovered was reported here.
Al-Hathloul, one of Saudi Arabia’s most prominent activists, is known for helping lead a campaign to end the ban on women driving in Saudi Arabia. She was released from prison in February 2021 on charges of harming national security.
Immediately after she was released from prison, the activist received an email from Google warn her that state-backed hackers have tried to infiltrate her Gmail account. Fearing that his iPhone was also hacked, al-Hathloul contacted the Canadian privacy group Citizen Lab and asked them to probe her device for evidence, three people close to al-Hathloul told Reuters.
After six months of digging through her iPhone records, Citizen Lab researcher Bill Marczak made what he describes as an unprecedented discovery: a glitch in the surveillance software implanted on her phone. she left a copy of the malicious image file, instead of deleting itself, after stealing its target’s message.
The discovery, he said, of the computer code left behind by the attack, provides direct evidence that NSO created the spying tool.
“It was a game changer,” says Marczak. “We caught what the company said was inaccessible. ”
This discovery led to a hack blueprint and led to Apple to notify thousands of other state-backed hacking victims around the world, according to four people with direct knowledge of the incident.
Citizen Lab and al-Hathloul’s discovery formed the basis of Apple’s November 2021 lawsuit against NSO, and it also reverberated in Washington, where American officials learned that NSO’s cyberweapons were used to spy on American diplomats.
In recent years, the spyware industry has experienced explosive growth as governments around the world purchase phone hacking software that enables the kind of digital surveillance that was once the target of a number of agencies. elite intelligence agency.
Over the past year, a series of revelations from journalists and activists, including international press collaborations Project Pegasushas linked the spyware industry to human rights abuses, prompting closer scrutiny by NSO and its colleagues.
However, security researchers say the al-Hathloul discovery is the first to provide the blueprint for a powerful new form of cyber espionage, an attack tool that infiltrates devices without the need for an attacker. any interaction from the user, providing the most concrete evidence to date of the weapon’s range. .
In a statement, an NSO spokesperson said the company does not operate the hacking tools it sells – “the government, law enforcement and intelligence agencies do.” The spokesperson did not respond to questions about whether its software was used to target al-Hathloul or other activists.
But the spokesman said the organizations making those claims were “political opponents of cyberintelligence” and deemed some of the allegations “technologically and contractually impossible.” The spokesperson declined to provide specifics, citing customer confidentiality agreements.
Without elaborating on specifics, the company said it had an established procedure to investigate alleged misuse of its products and had cut off customers over human rights issues.
Explore blueprints
Al-Hathloul has good reason to be suspicious – this isn’t the first time she’s been stalked.
A 2019 Reuters investigation revealed that she was targeted in 2017 by a group of US mercenaries who investigated dissidents on behalf of the United Arab Emirates Unification followed a secret program called Project Raven, which classified her as a “national security threat” and broke into her iPhone. .
She was arrested and jailed in Saudi Arabia for nearly three years, where her family said she was tortured and interrogated using information stolen from her device. Al-Hathloul was released in February 2021 and is currently banned from leaving the country.
Reuters has no evidence of NSO involvement in the previous hack.
Al-Hathloul’s experience in tracking and imprisonment made her determined to gather evidence that could be used against those using these tools, Lina al-Hathloul said. “She feels it’s her responsibility to continue this fight because she knows she can change things.”
The type of spyware that Citizen Lab detected on al-Hathloul’s iPhone is known as “zero click,” meaning a user can be infected without clicking on a malicious link.
Zero-click malware often deletes itself once it infects users, leaving researchers and tech companies with no weapon samples to study. That could make it nearly impossible to gather evidence of iPhone hacks, security researchers say.
But this time it’s different.
The software crash left a copy of the spyware hidden on al-Hathloul’s iPhone, allowing Marczak and his team to obtain a virtual blueprint of the attack and proof of who created it.
“Here we have recovered bullet casings from the crime scene,” he said.
Marczak and his team discovered that the spyware worked in part by sending photo files to al-Hathloul via an invisible text message.
The image files tricked the iPhone into granting access to its entire storage, bypassing security and allowing the installation of spyware that could steal users’ messages.
According to Marczak, Citizen Lab’s findings provide solid evidence that the cyberweapon was built by NSO.
Marczak said the spyware found on al-Hathloul’s device contained code indicating it was communicating with servers that Citizen Lab has identified as controlled by the NSO. Citizen Lab named this new iPhone hacking method “ForcedEntry.” The researchers then provided the sample to Apple last September.
Having at hand the blueprints of the attack allowed Apple to fix the critical vulnerability and get them to notify thousands of other iPhone users who had been targeted by the NSO software, warning that they had been targeted by the NSO software. “State-sponsored attackers”.
This is the first time Apple has taken this step.
While Apple identified the majority of targets through NSO’s tool, security researchers also discovered spyware from second Israeli vendor QuaDream that used the same vulnerability on iPhones. , Reuters reported earlier this month. QuaDream did not respond to repeated requests for comment.
The victims ranged from dissidents critical of the Thai government to human rights activists in El Salvador.
Citing findings obtained from al-Hathloul’s phone, Apple sued NSO in November in federal court alleging that the spyware maker violated US law by creating fake products. products are designed “to target, attack, and harm Apple users, Apple products, and Apple.” Apple credited Citizen Lab for providing “technical information” used as evidence in the lawsuit, but did not disclose that it was originally obtained from al-Hathloul’s iPhone.
NSO says its tools have aided law enforcement and saved “thousands of lives.” The company said some of the allegations related to the NSO software were unreliable, but declined to elaborate on specific claims citing confidentiality agreements with its customers.
Among those Apple warned, at least nine US State Department employees in Uganda were targeted by the NSO software, according to people familiar with the matter, sparking a wave of criticism. new to the Washington company.
In November, the US Department of Commerce placed NSO on a trade blacklist, restricting US companies from selling Israeli companies’ software products, threatening their supply chains.
The Commerce Department said the action was based on evidence that NSO spyware was used to target “journalists, business people, activists, academics and embassy staff.”
In December, Democratic Senator Ron Wyden and 17 other lawmakers called on the Treasury Department to sanction NSO Group and three other foreign surveillance firms that they say helped authoritarian governments violate human right.
Wyden told Reuters in an interview, referring to the targeting of US officials in Uganda: “When the public saw that the US government numbers were hacked, that obviously turned the wheel.
Lina al-Hathloul, Loujain’s sister, said the financial blow to NSO may be the only thing that can stop the spyware industry. She said: “It hit them where it was very painful.
© Thomson Reuters 2022
