On Monday, September 13, Apple announced the release of emergency security updates for its iOS and MacOS operating systems after discovering, with the help of researchers from the Citizen Lab at the University of Toronto, a new vulnerability of type “zero-click” in its products. That same day, researchers released a report explaining how they found the loophole that Apple fixed by examining the phone of a Saudi activist targeted by NSO Group’s Pegasus spyware.
While the news that NSO Group is helping governments infiltrate smartphones and computers with sophisticated exploits comes as no surprise, the scope and ease of the latest, dubbed “FORCEDENTRY” by The Citizen Lab, remain quite astounding. It could be used to compromise all phones, tablets, computers and Apple watches. Worse: Since it’s susceptible to being used to infect these devices without anyone actively clicking anything to download malicious code, it’s virtually impossible to protect yourself from it.
But that was until last Monday. Go update all your Apple devices immediately! You will finish this article after! Update your iPhone, Apple Watch, and macOS for desktop or laptop.
NSO Group, an Israeli company selling digital surveillance tools to governments around the world, has already come under fire on numerous occasions for its commercialization of sophisticated technical exploits that could be used against dissidents, activists and journalists. .
His tools were implicated in the 2018 assassination of Jamal Khashoggi, and earlier this year a list exceeding 50,000 cell phone numbers potentially targeted by his Pegasus spyware was leaked to multiple media outlets. NSO Group initially denied that the list contained Pegasus targets, only to then announce that it was ceasing to respond to press inquiries. This list helped demonstrate the scope and scale of the company’s operations, but it was unclear how the malware had infiltrated so many devices whose owners were very attentive to their digital security.
Anyone can infiltrate 50,000 cell phones, but compromising machines owned by journalists and cyberhygiene activists more than seriously isn’t the same lemonade – and it’s much more difficult. Indeed, many cybersecurity incidents start with a moment of inattention: someone opens an attachment they shouldn’t have, fills out a form on an unsecured website, or inserts an unknown USB drive into their computer. . This is also the reason why many basic cyber hygiene tips include checking the sender addresses of the messages you receive or heeding your browser warnings.
In general, it is difficult for someone to compromise your computer without tricking you into downloading something or revealing your IDs and passwords at some point. But one of the hallmarks of NSO Group’s tools is that many of them can infect devices without even the device owner having to click or download anything. This is why FORCEDENTRY is described as a “zero-click” exploit (not to be confused with a “zero-day”, a type of vulnerability that had never been discovered or corrected until now – what FORCEDENTRY is. also).
This explains why exploits like the one revealed last Monday are so dangerous and frightening, even for people committed to cybersecurity. This is also part of the reason why NSO Group is widely frowned upon: the company doesn’t just sell spyware to governments for use on journalists, dissidents and activists. It sells incredibly advanced spyware that many of its customers would probably be unable to develop on their own.
Race against the feat
Due to their extreme passivity, zero-click exploits are often difficult to detect and trace; users cannot easily trace their messages or downloads to identify a specific suspicious shipment or file.
If the Citizen Lab was able to draw Apple’s attention to the issue, it was only because earlier this year a Saudi activist targeted by NSO Group’s Pegasus spyware gave him an iTunes backup of his phone. . Citizen Lab researchers identified several suspicious .gif files there and sent them to Apple on September 7.
Apple then analyzed them, was able to identify the exploited vulnerability and released the corresponding fixes less than a week later. Such a short deadline signals both Apple’s engineering prowess and the seriousness with which the company has approached this feat. While the announcement of new reprehensible behavior by NSO Group is déjà vu, every zero-click or zero-day itself is always a big problem.
The Citizen Lab concludes its report on FORCEDENTRY on a surprisingly optimistic note, predicting that “NSO Group’s business model contains the seeds of his exposure. Sell technology to governments that will use it shameless in violation of international law ultimately facilitates the discovery of spyware by surveillance organizations, as we have shown on multiple occasions, and as has been the case here. ”
I’m not sure if I’m as sure that researchers and companies tracking down and fixing these vulnerabilities and exploits will still be able to keep pace with NSO. The past few years have shown us how much technical feats NSO is capable of, and how many countries are ready to pull out cases of banknotes so that they keep creating them.
It is still reassuring to see the speed with which Apple and the Citizen Lab were able to react to their last take. And it might even help to get other big tech companies to work on NSO Group. Facebook sued NSO after discovering that the company had exploited a vulnerability in WhatsApp.
Until the Israeli government is prepared to regulate its spyware industry, the big tech firms would be wise to put much-needed pressure on the company and the country to stop playing with fire.