Zero-click iMessage zero-day used to hack the iPhones of 36 journalists

Promotional image of iPhone.

Three dozen journalists had their iPhones hacked in July and August using what at the time was an iMessage zero-day exploit that didn’t require the victims to take any action to be infected, researchers said.

The exploit and the payload it installed were developed and sold by NSO Group, according to a report published Sunday by Citizen Lab, a group at the University of Toronto that researches and exposes hacks on dissidents and journalists. NSO is a maker of offensive hacking tools that has come under fire over the past few years for selling its products to groups and governments with poor human rights records. NSO has disputed some of the conclusions in the Citizen Lab report.

The attacks infected the targets’ phones with Pegasus, an NSO-made implant for both iOS and Android that has a full range of capabilities, including recording both ambient audio and phone conversations, taking pictures, and accessing passwords and stored credentials. The hacks exploited a critical vulnerability in the iMessage app that Apple researchers weren’t aware of at the time. Apple has since fixed the bug with the rollout of iOS 14.

More successful, more covert

Over the past few years, NSO exploits have increasingly required no user interaction—such as visiting a malicious website or installing a malicious app—to work. One reason these so-called zero-click attacks are effective is that they have a much higher chance of success, since they can strike targets even when victims have considerable training in preventing such attacks.

In 2019, Facebook alleges, attackers exploited a vulnerability in the company’s WhatsApp messenger to target 1,400 iPhones and Android devices with Pegasus. Both Facebook and outside researchers said the exploit worked simply by calling a targeted device. The user need not have answered the device, and once it was infected, the attackers could clear any logs showing that a call attempt had been made.

Another key benefit of zero-click exploits is that they’re much harder for researchers to track afterward.

“The current trend towards…