Discussion

• @jsrailton John Scott-Railton on x

  🚨MAJOR REPORT: zero-click #0day in #iMessage used to infect 36 ppl @Aljazeera w/ NSO spyware. We attribute to UAE & Saudi Arabia w/medium confidence. THREAD https://citizenlab.ca/... https://twitter.com/...

• @matthew_d_green Matthew Green on x

  The problem this time for NSO is that their infection process and exfiltration were visible in network logs. But they're obviously going to get better at hiding this stuff in the future. Apple could really help make this easier for researchers.

• @jsrailton John Scott-Railton on x

  (3) VECTOR & MITIGATION: We found evidence that these hacks were via a zero-click (no user interaction & invisible) 0day in iMessage. Fortunately, features in iOS 14 appear to break the exploit chain. To protect yourself: update to iOS 14 IMMEDIATELY. https://twitter.com/...

• @matthew_d_green Matthew Green on x

  One of the interesting things about this story is how difficult it must be to instrument iOS devices to catch these 0-click exploits in action. Partly because Apple makes it difficult. https://twitter.com/...

• @dr_ulrichsen Kristian Ulrichsen on x

  ‘The claims of a hacking campaign against journalists from the two Qatari-funded media outlets underscores the extent to which Saudi Arabia and the UAE continue to see the Doha-based network as a major threat to their interests.’ https://www.theguardian.com/ ...

• @wokyleeks @wokyleeks on x

  WELP big old F for Apple today, another iMessage 0-day exploited by NSO. @thespybrief https://twitter.com/...

• @farshadnayeri Farshad Nayeri on x

  It's true that iOS is more secure than other popular OSes but it only takes one bad vulnerability to break the wall of defense. https://twitter.com/...

• @jsrailton John Scott-Railton on x

  The @aljazeera journalists were hacked & monitored w/servers located in the EU. Likely many more victims. Please RT & ask EU authorities to open investigations. 🇩🇪@BfDI_info @certbund 🇫🇷 @CNIL @CERT_FR 🇬🇧 @ICOnews @NCSC 🇮🇹 @italiaprivacy cc @enisa_eu https://twitter.com/... https…

• @zackwhittaker Zack Whittaker on x

  It's believed NSO's Pegasus was delivered silently by exploiting a flaw in Apple's iMessage — no user interaction required at all — to spy on the victim's microphone, camera, files, and location. Apple said it fixed the apparent flaw in iOS 14. https://techcrunch.com/... https://…

• @pwnallthethings @pwnallthethings on x

  Also P0 is likely the motivating reason why Apple hardened iMessage on ios 14, which apparently limited NSO's capability

• @matthew_d_green Matthew Green on x

  iMessage payloads are encrypted and can be individually encrypted to specific devices. There's no documentation of or support for open clients that can receive or monitor incoming iMessage data, without major jailbreaks and hacks.

• @robertjdenault Robert J. DeNault on x

  Facebook, WhatsApp and now Microsoft are suing NSO Group. Its software is being used by governments around the world to spy on and track journalists. But Rod Rosenstein is representing NSO Group in US court. https://twitter.com/...

• @laurahuu Laura Halminen on x

  Sometimes, in some places of the world, being a journalist means getting constantly targeted and occasionally hacked. Even if you assumed iPhones and iMessages are safe. https://twitter.com/...

• @matthew_d_green Matthew Green on x

  What I'm thinking is that Apple should make it easier for selected targets to record the raw iMessage (APN) ciphertexts sent to individual devices, without leaving an obvious signature that attacker can use to see if this is happening.

• @aaschapiro Avi Asher-Schapiro on x

  A New Citizen Lab uncovers a new zero-click exploit for iPhones used by operators linked to the Saudi/UAE governments to spy on journalists as recently as August. “We suspect that the infections that we observed were a miniscule fraction of the total” https://citizenlab.ca/...

• @jsrailton John Scott-Railton on x

  (2) BEGAN when investigation lead @billmarczak spotted unusual traffic from @Aljazeera reporter @TamerMisshal's phone: (1) odd connections to Apple servers, (2) connection to NSO's infection servers (3) Data flowing from his device to an NSO command and control server... https://…

• @jeffstone500 Jeff Stone on x

  This is a big one from @citizenlab: iPhones belonging to dozens of Al Jazeera journalists were hacked via zero-click malware built by NSO Group, the Israeli spyware vendor. https://citizenlab.ca/...

• @pwnallthethings @pwnallthethings on x

  Good thread, but also a reminder that independent security research on ios is made unreasonably hard by Apple https://twitter.com/...

• @aaschapiro Avi Asher-Schapiro on x

  When Israeli surveillance firm NSO Group was acquired by UK Private Equity Firm Novalpina, in 2019, they made big promises about rolling out a new “human rights” framework. Now, we hear *dozens* of journalists were targeted this summer. https://www.theguardian.com/ ...

• @matthew_d_green Matthew Green on x

  So it looks like the best Citizenlab can do is install a VPN on likely target devices and look for weird outgoing connection patterns, plus check logs for kernel panics. It's like looking for evidence dark matter based on its gravitational effect on things you can see.

• @osxreverser @osxreverser on x

  Gotta love Apple blackbox!😂😂😂 😂😂😂 https://twitter.com/...

• @kenklippenstein Ken Klippenstein on x

  Recall that an Al Jazeera journalist recently sued the Saudi crown prince for allegedly hacking into her phone to steal and disseminate intimate photos https://twitter.com/...

• @dangillmor Dan Gillmor on x

  NSO is an evil company, Part 845: https://twitter.com/...

• @film_girl Christina Warren on x

  Well this is terrifying. The fact that an iOS 0-day could allow for this sort of attack is truly terrifying. https://citizenlab.ca/...

• @shashj Shashank Joshi on x

  “In one case, the Saudis and the Emirates appear to have spied on the same phone, researchers found, suggesting the attacks may have been coordinated. Journalists, executives, anchors and producers were alleged to have been affected by the hacks.” https://www.theguardian.com/ ...

• @donie Donie O'Sullivan on x

  “In July and August 2020, government operatives used NSO Group's Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera,” according to ⁦@citizenlab⁩ ⁦@jsrailton⁩ https://citizenlab.ca/...

• @citizenlab @citizenlab on x

  NEW REPORT “The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage “Zero-Click Exploit” by @citizenlab @billmarczak @jsrailton @nouraaljizawi @sienaanstis @RonDeibert: https://citizenlab.ca/...

• @evacide Eva on x

  New @citizenlab report finds a no-click 0-day in iMessage being used by NSO Group to targets Al Jazeera journalists. If you are concerned about being a target, make sure you've upgraded to iOS 14: https://citizenlab.ca/...