This serious iPhone security flaw was exploited by a second Israeli spy firm
Zero-click exploit could have affected millions of iPhones
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The dreaded“zero-click” iOS vulnerability from NSO Groupmade headlines in 2021 as it attackers to gain access to an iOS-poweredendpointwithout the user’s involvement.
But it now seems NSO wasn’t the only company that managed to pull off whatGooglereseachers described as a “incredible and terrifying” hack, asReutersclaims that at approximately the same time, another (but lesser-known) Israeli-based company, QuaDream, achieved the same goal.
Researchers who analyzed the methodology of both companies have said they were very similar to one another, right down to the fact that onceApplepatched up NSO’s vulnerability, it also rendered QuaDream’s one useless.
Zero-click iOS exploits
The NSO Group (an Israeli technology firm primarily known for its proprietary spyware) designed an attack mechanism “against which there is no defense," as no mobile antivirus would be able to spot it.
Also known as a “zero-click” exploit, it’s just as it sounds - the victim doesn’t even need to click anything in order to be compromised, to have its data, or itsidentity, stolen. Basically, all it needs to do is receive an SMS message via Apple’s iMessage service.
The attack methodology itself is rather complex, and involves “fake” gifs, CoreGraphics PDF parsers, the JBIG2 codec, and an entirely “new” computer architecture that is “not as fast as Javascript, but it’s fundamentally computationally equivalent”.
More cyberattacks come from China than the rest of the world combined, FBI head claims>WhatsApp spyware lawsuit receives boost after NSO Group no-show>Apple sues NSO Group over spyware claims
The vulnerability is logged as CVE-2021-30860, and has been fixed on September 13, 2021 in iOS 14.8. Apparently, there’s also an Android version, but the researchers are yet to get a sample.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Once the cat was out of the bag, the US Government blacklisted NSO, claiming it develops tools used against civilians, something NSO not only denied, but further stated that it works to “support US national security interests and policies by preventing terrorism and crime.”
AWS also banned NSO, Apple filed a lawsuit, which was later backed by pretty much every notable tech company in the States.
NSO says the work wasn’t a team effort, and QuaDream could not be reached for comment.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)
