NSO Group returns with triple iOS 15/16 zero-click spyware attack

No matter what US President Joseph R. Biden Jr. said, NSO Group is still around; the privatized spying service produced zero-click exploits against iOS 15 and iOS 16 last year, according to the latest report from Citizen Lab.

It also suggests Lockdown Mode is effective against such attacks.

A trio of exploits used in complex form

The report reflects what Citizen Lab learned from investigating attacks against Mexican human rights defenders. The researchers conclude that NSO Group, called “mercenary hackers” by Apple, has made wide use of at least three zero-click exploits in Apple’s iPhone operating systems against civil society targets worldwide. NSO Group is the infamous firm that created the Pegasus tool used to spy on people.

Use of these surveillance tools in Mexico is problematic, given the lengthy history of human rights abuses there, which extends to extrajudicial killings and forced disappearances.

Citizen Labs exploits were used against human rights defenders representing the families of 43 kidnapped students, and at least one person targeted appears to have been attacked using NSO Group spyware on numerous occasions, the report claims.

The research identifies three attacks, dubbed, “PWNYOURHOME,” “FINDMYPW,” and “LATENTIMAGE.” It also seems NSO Group is engaging in increasingly complex attack mechanisms as it attempts to subvert civil society targets worldwide.

For example, PWNYOURHOME, was a two-step zero-click exploit in which each step targets a different process on the iPhone. The first step aimed at HomeKit; the second targeted iMessage. The security researchers shared their findings with Apple and the company issued critical security improvements to HomeKit in iOS 16.3.1.

The mercenaries want to hide

Lockdown Mode appears to provide fairly effective protection against such exploits. Citizen Lab says that devices in that mode initially received warnings if the PWNYOURHOME hack was used against the device, though this is no longer the case — illustrating the constant cat-and-mouse battle between platform providers and well-heeled mercenary criminal groups.

The researchers warn:

“We continue to observe what we interpret to be concerted efforts by NSO Group to evade detection by the methods deployed by researchers. For example, in contrast to previous versions of Pegasus, the versions deployed in 2022 appear to more thoroughly remove data from various iPhone log files, in an apparent attempt to thwart researchers from understanding the nature of the vulnerabilities exploited to compromise phones, and to evade detection.”

What to do to protect yourself

It is worrying, though perhaps not surprising, the extent to which NSO Group and other surveillance-as-a-service vendors continue to see their exploits used against human rights defenders. It is also concerning that the group is evolving its attacks toward multi-step attacks.

In response, Citizen Lab encourages developers to think more deeply about device security and to “treat the entire surface reachable through a single identifier as a single surface.” In tech, just as in the real world, no one is safe until everyone is safe.

Another recommendation is to continue to obfuscate devices to make them hard to follow, and to make it even more challenging for attackers to execute arbitrary code on them. “We highly encourage all at-risk users to enable Lockdown Mode on their Apple devices. While the feature comes with some usability cost, we believe that the cost may be outweighed by the increased cost incurred on attackers,” Citizen Lab said.

Amoral mercenary hackers such as NSO Group remain a huge threat to business and civil society wherever their tools are used. The inconvenient fact about such exploits is that these tools do eventually become available across the dark web, and once they do so they threaten every user. NSO Group is not unique. Israel seems to have spawned several such groups, including the more secretive QuaDream which was exposed last week.

It is also a fact that Apple is working quite hard to protect users against such attacks. An Apple spokesperson promised, “Our security teams around the world will continue to work tirelessly to advance Lockdown Mode and strengthen the security and privacy protections in iOS.”

With this in mind, the most appropriate step is to ensure you and your colleagues install any Apple security patches as soon as they are available.

If you are a high-risk individual who feels yourself likely to be attacked, you should use Lockdown Mode, as the cost and consequence of being attacked may far outweigh the inconvenience. After all, the risk of such attacks is that data exfiltrated from people’s devices may be abused, used to create unfair business advantage, and may even lead to loss of life.

This is an industry that needs to be brought under control.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.