NSO Group Found New Ways to Hack iPhones, Researchers Say

The Israeli surveillance technology company NSO Group used at least three methods for breaking into iPhones when targeting members of civil society in 2022, according to a report by the Citizen Lab, a research group at the University of Toronto.

The methods, known as zero-click exploit chains, allows the company to circumvent security features of the Apple Inc. phones and install NSO’s “Pegasus” spyware, which can collect information from a device and also use its cameras and microphones for real-time surveillance. In zero-click hacks, a user doesn’t have to click on a malicious link for the malware to infect a device.

Citizen Lab said the hacking methods were used against devices belonging to members of the Miguel Agustín Pro Juárez AC Human Rights Center, known as Centro Prodh, a Mexican human rights group. A representative for the group couldn’t immediately be reached for comment.

An Apple representative said that while the threats outlines by Citizen Lab only impact “a very small number of our customers, “we take any attack on our users extremely seriously and we continue to build more defenses into our products.”

An NSO spokesperson said the company “adheres to strict regulation and its technology is used by its governmental customers to fight terror and crime around the world.” The spokesperson also took aim at Citizen Lab, which has produced numerous reports outlining misuse of spyware from NSO and others, saying, “Citizen Lab has repeatedly produced reports that are unable to determine the technology in use and they refuse to share their underlying data.”

The Israeli firm has been subjected to intense scrutiny — from Citizen Lab, journalists and government officials — due to reports that its technology has been used by government clients to spy on dissidents, journalists, politicians and others. Last year, NSO cut jobs and raised prices in a bid to satisfy creditors holding around $400 million in the company’s debt, Bloomberg reported in November.

The report also gives a limited view into how Apple’s new “Lockdown Mode” feature may be working. Introduced last year, Lockdown Mode limits how the phone functions to increase security and is intended for users that may be targeted by advanced spyware.

For a brief period at least, Lockdown Mode notified users via push notification that they were being targeted by NSO group, according to the report. But it appears hackers may have figured out a way to evade it, according to Citizen Lab’s report, which added that it wasn’t clear if NSO’s software was still being blocked by the Apple feature.

The Apple representative said, “We are pleased to see that Lockdown Mode disrupted this sophisticated attack and alerted users immediately, even before the specific threat was known to Apple and security researchers.”

The report also said that NSO Group was able to evade another Apple security service built into iOS, called BlastDoor. Still, the Citizen Lab said it recommends users who are at risk of being targeted with spyware enable Lockdown mode.

Citizen Lab said that it shared its findings with Apple in October 2022, prompting the company to release a security update in February.

The methods, which Citizen Lab is calling “PWNYOURHOME” and “FINDMYPWN,” use Apple’s built-in services to attack the iPhones: HomeKit and Find My iPhone features, according to the report.

Last month, President Joe Biden signed an executive order that bars US government agencies from using the services of spyware companies that pose a threat to national security or human rights. NSO Group was sanctioned in 2021 for what the Commerce Department called “malicious cyber activities.”