Report: Pegasus Spyware Sold to Governments Uses Zero-Click iMessage Exploit to Infect iPhones Running iOS 14.6

Journalists, lawyers, and human rights activists around the world have been targeted by authoritarian governments using phone malware made by Israeli surveillance firm NSO Group, according to multiple media reports.

nso israeli surveillance firm
An investigation by 17 media organizations and Amnesty International's Security Lab uncovered a massive data leak, indicating widespread and continuing abuse of the commercial hacking spyware, Pegasus, which can infect iPhones and Android devices and enable attackers to extract messages, emails, and media, and record calls and secretly activate microphones.

The leak contains a list of over 50,000 phone numbers that are believed to have been identified by clients of NSO as possible people of interest. Forbidden Stories, a Paris-based nonprofit media organization, and Amnesty International had access to the leaked list and shared that access with media partners as part of reporting consortium the Pegasus project. Forensic tests on some of the phones with numbers on the list indicated that more than half had traces of the spyware.

The company behind the software, NSO, denies any wrongdoing and claims its product is strictly for use against criminals and terrorists, and is made available only to military, law enforcement and intelligence agencies.

In a statement given to media organizations in response to the Pegasus project, NSO said the original investigation which led to the reports was "full of wrong assumptions and uncorroborated theories."

NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers' targets. NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as identity of customers of which we have shut down systems.

In an earlier version of the spyware, surveillance activity depended on the phone user clicking on a malicious link sent to them in a text or email (so-called "spear-phishing"). However, the most recently discovered version doesn't require interaction from the user and can instead exploit "zero-click" vulnerabilities – bugs or flaws in the OS – to succeed.

For example, Amnesty's Security Lab and Citizen Lab found an iPhone running iOS 14.6 could be hacked with a zero-click iMessage exploit to install Pegasus.


Meanwhile, media organizations involved in the project plan to reveal the identities of people whose number appeared on the list in the coming days. They are said to include hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials. Disclosures which began on Sunday have already revealed that the numbers of more than 180 journalists are already known to be among the data.

WhatsApp sued NSO in 2019 after it alleged the company was behind cyber-attacks on thousands of mobile phones involving Pegasus. NSO denied any criminal wrongdoing, but the company has been banned from using WhatsApp.

Update: Apple has provided the following statement condemning the use of the zero-click exploit against journalists, lawyers, and human rights activists to The Guardian.

In a statement, the iPhone maker said: “Apple unequivocally condemns cyber-attacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market.”

Apple also said that security was a dynamic field and that its BlastDoor was not the end of its efforts to secure iMessage.

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” it said. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Note: Due to the political or social nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Top Rated Comments

mdnz Avatar
19 weeks ago

iOS 14.7 is around the corner and will be released this week. I don't think Apple has to worry about it.

Android can't say much on their behalf.
Just upping a version number doesn't mean the problem is fixed.
Score: 53 Votes (Like | Disagree)
One2Grift Avatar
19 weeks ago

I don't like blaming people but in this case, it's all on apple

- They DO actually have infinite resources with 200Bn USD in the bank

- They continually prioritize features some marketing monkeys thought up - iMessage, targeted here, is the best example. Apple has really good engineers working there, I am 100% sure some of them spoke up and sad "guys, this is a bad idea there's no way to make an app API, tons of animation features, customizable emojis, customizable animations, free floating sticky notes, all secure in one big release. We need to hold off on this. but they were outvoted by the marketing monkeys ("this will sell more iphones")

- Their software process is antiquated and wasn't good when it was first invented sometime in the 80ies. That's why Avi left.
They don’t have infinite resources, that’s just a bizarre statement.

Software vulnerabilities happen, it is a fact of life. Yes, A company must patch them ASAP. Apple has been excellent at keeping vulnerabilities to an extreme minimum and patching them quickly. But if they knew about this one sooner and didn’t patch it, then there is a problem

Since both Microsoft and Google have infinite resources based upon your bizarre math,you must be furious at them given malware numbers for them.
Score: 18 Votes (Like | Disagree)
Packers1958 Avatar
19 weeks ago
Don’t worry. Apple is on top of it. They are planning to offer a new line of $150 apple watch bands this week.
Score: 15 Votes (Like | Disagree)
jasonefmonk Avatar
19 weeks ago
This is pretty serious by the description. Holy ****.
Score: 15 Votes (Like | Disagree)
contacos Avatar
19 weeks ago

iOS 14.7 is around the corner and will be released this week. I don't think Apple has to worry about it.

Android can't say much on their behalf.
What does that have to do with any of it? Changing the build number is not going to magically fix this exploit
Score: 14 Votes (Like | Disagree)
orthorim Avatar
19 weeks ago
Apple's only got itself to blame.

iMessage was a festering cesspit of vulnerability since they added all this nonsense, emojos, apps (!!!) - well adding apps and an app API to your messsaging is a guaranteed way to open it up to all sorts of vulnerabilities

apple has massive problems that are built into iOS and Mac OS, that are are non-fixable:

- Video player with thousands of features and a multiple decades old codebase - this is going to have enough zero days for the next 100 years

- iMessages, wantonly compromised by features nobody is using, since they're all walled garden features relying on network effects, therefore all doomed to fail. There was no reason to do this. Just show the text. Add images. Done.

- FaceTime - likely has endless vulnerabilities as well, like QuickTime

And many others - there's so much stuff they're building that's a security disaster from the get go.

I have followed the "security related updates" for the past few iPhone updates, and it's pretty shocking, yet not surprising, as each one of these point updates fixes 10, 20, or even 30 zero day exploits.

millions left to go.
Score: 12 Votes (Like | Disagree)

Related Stories

nso israeli surveillance firm

Apple Aims to Cut Down on Spyware With Lawsuit Against NSO Group

Tuesday November 23, 2021 10:09 am PST by
Apple today announced that it has filed a lawsuit against Israeli firm NSO Group and its parent company with the aim of holding it accountable for targeting Apple users with spyware used for surveillance purposes. In the lawsuit, Apple offers up information on how NSO Group infiltrated the devices of iPhone owners and how it utilized the Pegasus spyware to do so. Apple is asking for a...
nso israeli surveillance firm

Apple's iOS 14.8 Update Fixes Zero-Click Exploit Used to Distribute Pegasus Spyware

Monday September 13, 2021 12:51 pm PDT by
Today's iOS 14.8 update addresses a critical vulnerability that Apple engineers have been working around the clock to fix, reports The New York Times. Last week, The Citizen Lab informed Apple about a new zero-click iMessage exploit targeting Apple's image rendering library. Called FORCEDENTRY, the exploit could infect an iPhone, iPad, Apple Watch, or Mac with the Pegasus spyware, providing...
apple security banner

Apple Outlines How It Will Notify Users Who Have Been Targeted by State-Sponsored Spyware Attacks

Tuesday November 23, 2021 8:15 pm PST by
Earlier today, Apple announced that it had filed suit against NSO Group, the firm responsible for the Pegasus spyware that has been used in state-sponsored surveillance campaigns in a number of countries. NSO Group seeks to take advantage of vulnerabilities in iOS and other platforms to infiltrate the devices of targeted users such as journalists, activists, dissidents, academics, and government...
macbook pro sizes space gray

DoJ Arrests Hacker Involved With REvil Group That Stole Apple's MacBook Pro Schematics

Monday November 8, 2021 4:28 pm PST by
The United States Justice Department today announced that it has arrested Ukrainian Yaroslav Vasinskyi for his involvement with REvil, a group that executed ransomware attacks against businesses and government entities in the United States. REvil in April targeted Apple supplier Quanta Computer and stole schematics of the design of the 14 and 16-inch MacBook Pro models that were later...
tim cook privacy

Apple Not Trying Hard Enough to Protect Users Against Surveillance, Researchers Say

Friday July 23, 2021 6:46 am PDT by
Following the news of widespread commercial hacking spyware on targeted iPhones, a large number of security researchers are now saying that Apple could do more to protect its users (via Wired). Earlier this week, it was reported that journalists, lawyers, and human rights activists around the world had been targeted by governments using phone malware made by the surveillance firm NSO Group...
apple privacy

Apple Fined $11 Million in Italy for Employing 'Aggressive Methods' in Commercial Use of Private Data

Friday November 26, 2021 2:16 am PST by
Apple and Google were today fined 10 million euros ($11 million) by Italy's Competition Authority for allegedly using user data for commercial purposes without their explicit consent, an apparent violation of Italy's Consumer Code. The authority claims that both Apple and Google utilize user data they collect through their services for promotional and economic activity without the user's...
General Apps Messages

Android Devices May Soon Show iMessage Reactions as Emoji

Friday November 19, 2021 11:46 am PST by
The Google Messages app on Android devices may soon start showing iMessage reactions as emoji characters instead of text, according to some digging done by 9to5Google. In the Messages app on iOS and Mac devices, users can add a reaction like a heart, thumbs up, thumbs down, a laugh, a question mark, or an exclamation, all of which show up as annotations to an iMessage. These reactions can...
macbook pro sizes space gray

Ransomware Group That Stole Apple's MacBook Pro Schematics Taken Offline in Multi-Country Operation

Thursday October 21, 2021 3:50 pm PDT by
Back in April, ransomware group REvil attacked Apple supplier Quanta Computer and was able to steal schematics outlining the design of the 14 and 16-inch MacBook Pro models that were announced earlier this week. The schematics did indeed leak the design of the new machines, and at the time, REvil threatened to release other documents should Apple not pay a ransom fee of $50 million by May 1. ...
timcook

Tim Cook: Users Who Want to Sideload Apps Can Use Android, While the iPhone Experience Maximizes 'Security and Privacy'

Tuesday November 9, 2021 8:51 am PST by
Amid a heightened amount of scrutiny and tension surrounding the App Store and how users download and install apps on the iPhone, Apple CEO Tim Cook said today that customers who wish to sideload apps should consider purchasing an Android device as the experience offered by the iPhone maximizes their security and privacy. Speaking at The New York Times "DealBook" summit, Cook said that...
tmobilelogo

T-Mobile CEO Apologizes for Data Breach, Shares Info on Future Security Plans

Friday August 27, 2021 1:03 pm PDT by
T-Mobile CEO Mike Sievert today penned a letter to T-Mobile customers apologizing for the recent data breach that impacted more than 50 million current, former, and prospective T-Mobile users. Data that included names, phone numbers, addresses, birth dates, social security numbers, driver's license and ID info, IMEI numbers, and IMSI numbers was stolen and has been offered for sale. "We...