Yet more digital spies targeting iPhones exposed by security researchers

Just weeks after President Biden signed an executive order designed to prevent the US government from purchasing commercial spyware used to subvert democracies, researchers have identified yet another shameful zero-click, zero-day exploit that targeted iPhone users. This spy-for-hire ‘solution’ was sold by an Israeli firm called QuaDream.

Making everyone less safe

QuaDream’s attacks have been exposed by security researchers at Microsoft and Citizen Lab. QuaDream is a more secretive entity than NSO Group but shares much of the same pedigree, including being founded by ex-NSO Group employees and having connections to Israeli intelligence. Its attacks were first exposed last year, but the researchers have since found more about how these digital mercenaries worked.

The company sold a spooky surveillance platform called Reign to governments, ostensibly for law enforcement. Reign provides malware, exploits, and infrastructure to steal data from compromised devices, including iPhones running iOS 14.

Apple was made aware of these exploits in 2021 when it notified individuals targeted by the spooks and hardened its own security protections.

The researchers claim QuaDream now exclusively focuses on iOS attacks.

What is the Sicilian Defense?

The newly identified malware is called KingsPawn and was proliferated by a ghastly exploit christened EndOfDays, a zero-click attack which appeared to make use of invisible iCloud calendar invites to infect machines — users didn’t even need to do anything to be attacked.

The researchers report it to be in active use in Mexico, and Citizen Lab has identified victims situated in the US, Europe, the Middle East, and Central and Southeast Asia. Victims include politicians, journalists, and one NGO worker.

When installed on an iPhone, the spy software can record audio from calls or the microphone, take pictures, steal and remover keychain items, generate 2FA iCloud passwords, track location, search files, and search databases, all while masking its presence. It even has a self-destruct feature.

To support these attacks, CitizenLab has identified over 600 servers located in at least 10 nations operated by QuaDream customers. Those servers perform a range of tasks, including storage of stolen data and exploit distribution/targeting.

Nations in which the servers are based include Israel, United Arab Emirates, Uzbekistan, Singapore, Hungary, Czech Republic, Romania, Bulgaria, Mexico, and Ghana. At least three (Hungary, Mexico, and the UAE) are known to use spyware to target human rights defenders (HRDs), journalists, and others involved in civil society.

Too many known unknowns

“We cannot determine if the systems operated from Israel are operated by the Israeli government or QuaDream itself. Nevertheless, the Israeli government is also suspected to have abused mercenary spyware to target Palestinian HRDs, as well as domestic political activists,” the researchers said.

With names like KingsPawn, ForcedEntry, EndOfDays, and Pegasus, the exploits used by these firms share some features, principally sophisticated attack vectors and a tendency to proliferate into wider use.

No surprise, then, to learn that two of the co-founders of QuaDream include people who previously worked for the NSO Group and that the company itself is allegedly led by a former Israeli military official.

“Numerous key individuals associated with both companies have prior connections with another surveillance vendor, Verint, as well as Israeli intelligence agencies,” Citizen Lab said. “Until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abuse cases is likely to continue to grow, fuelled both by companies with recognizable names, as well as others still operating in the shadows.”

A threat to democracy

Microsoft is scathing about such attacks. It describes the growth of mercenary spyware companies as a threat to democracy and human rights and warns that the attacks used by these shady players will inevitably leak into wider criminality, with extreme effects.

“This poses real risk to human rights online, but also to the security and stability of the broader online environment,” warned Amy Hogan-Burney, Microsoft’s associate general counsel for cybersecurity policy and protection. That’s not just because of the threats themselves, but also the culture they create.

“The services they offer require cyber mercenaries to stockpile vulnerabilities and search for new ways to access networks without authorization,” she said.

Apple has made no secret that it agrees with this Microsoft assessment. Filing suit against NSO Group in 2021, it called these people “21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.”

Ivan Krstić, head of Apple Security Engineering and Architecture, has said, “Our threat intelligence and engineering teams work around the clock to analyze new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon. Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”

Protect yourselves

While the kind of attacks developed by such shadowy groups may cost a great deal to mount at first, that cost declines. For Apple, the challenge is to continue to make it hard enough to crack device security that the cost of those attacks remains too high for casual attackers. But over time exploits do leak, and those using older devices that no longer receive security patches are at increased risk.

It is extremely hard to protect against hitherto unknown zero-click attacks, but there are some approaches that may help limit the attack surface:

• Update devices to the latest software, which includes the latest security fixes.
• Protect devices with a passcode.
• Use two-factor authentication and a strong password for Apple ID.
• Install apps only from the App Store.
• Use strong and unique passwords online.
• Use Apple’s advanced iCloud+ security tools, if available to you.
• Don’t click on links or attachments from unknown senders.

An iPhone user who believes they may be a target of attack should enable LockDown Mode, which enhances existing security protection by dramatically shrinking the available attack surface, at the cost of some iPhone functionality. But one thing everyone can do is insist this industry is bought to heel — particularly as generative AI machines get ready to combine with the profound computational power of Quantum computing.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.