Journalists iPhones Hacked Thanks to No-Click iMessage Vulnerability

Reading Time: 5 minutes.
The iPhone 11, available in 6 bright colors

Apple’s iPhone 11, if running iOS 13, is a prime target.

We often think of iOS as the most secure mobile operating system. The iPhone, with its encryption, secure enclave, and security so darn good, it pisses off the FBI. The NSA has always been against the FBI’s attempts to get a backdoor into all mobile devices, iPhones included. The surface reason was always that it would compromise all iPhones, including those of assets, politicians, and other high-risk targets. However, there was always an obvious reason under the surface. It was the older sibling trying to tell the younger sibling to shut up about the cookies because they know damn well they took the last of the cookies last night.

The NSA has had a backdoor or two for a while. They simply must.

Most “backdoors” are simple. You intercept unencrypted information. A good way to do this is a false 4G LTE point, which would appear like your normal Verizon or AT&T tower, but actually copies the information it’s relaying. Another data extraction method is simply getting a warrant for the iCloud backups of a device, which, while encrypted on Apple’s servers, are encrypted with Apple’s keys, not yours. In other words, if you back up your iPhone to iCloud, it’s fair game for law enforcement, because Apple will unlock your backups.

However, some exploits rarely enter the public domain, at least not until we hear a news story about them in use or Apple patching it. In iOS 13, there was a bug that allowed a user to send an iMessage to someone to gain access to the device. The user didn’t even have to click on anything or open it up. Scary, right?

Turns out the hack was created by Israel’s NSO Group. Saudi Arabia and the United Arab Emirates hacked the iPhones of 36 journalists using that method.

Who Hacked Who?

A description of what hackers could do. They could record ambient audio, record encrypted phone calls, take pictures, track the location, and access passwords and stored credentials.

It can sometimes be easy to see that a phone was hacked, but not who did it. After all, upon discovery of a disheveled interior, you can quickly devise that your home has been broken into, but it’s going to take some investigation to find out who did it. However, in a hack like this, the culprits are easier to figure out when you look at who was hacked. For this, we go to Citizen Lab, who investigated the hack.

“While reviewing his VPN logs, we noticed that on 19 July 2020, his phone visited a website that we had detected in our Internet scanning as an Installation Server for NSO Group’s Pegasus spyware, which is used in the process of infecting a target with Pegasus.”

– Citizen Lab on how Tamer Almisshal’s iPhone was hacked

According to Citizen Lab, 36 journalists at Al-Jazeera, a Qatar broadcaster, were hacked. The hack was using the NSO Group’s Pegasus spyware, what Citizen Lab calls the “KISMET” chain of exploits. These were zero-day exploits found in iOS 13 in July of 2020. The entry point is “zero-click.” The victim doesn’t have to interact with anything, they simply receive an iMessage, and the floodgates are open. It works because iMessage has some permissions it shouldn’t have, as an Apple app. It can execute code outside of iMessage. Apple patched this particular set of exploits in 2020 with iOS 14, but any device still running iOS 13 is potentially vulnerable.

Citizen Lab identified two of the four operators. The first, nicknamed “Monarchy,” they attributed to Saudi Arabia. The second, nicknamed, “Sneaky Kestrel,” was, according to Citizen Lab, from the United Arab Emirates (UAE). These were state-funded hacks. NSO Group claims they only sell to law enforcement and governments. While it can (and has) leak from there, Citizen Lab believes with “medium” certainty that this was a Saudi Arabian and UAE attack. Both Saudi Arabia and the UAE have asked Qatar to shut Al-Jazeera down before. Bahrain and Egypt joined them in criticism, making them other potential suspects.

But Why?

“They threatened to make me the new Jamal Khashoggi.”

– Tamer Almisshal, Al-Jazeera

Jamal Khashoggi was a journalist in the United States. He spoke out against hard-line Wahhabi traditions, stating that, “Women today should have the same rights as men. And all citizens should have the right to speak their minds without fear of imprisonment.” He reported on the “Arab Spring,” the name for a multi-year long period of protest in the Arab world starting in 2010. His dedication to the truth and equality made him a target of regimes in the Middle East. He was frequently critical of the highly conservative views of Saudi Arabia’s royalty, specifically Crown Prince Mohammad bin Salman.

Evidence clearly points towards a premeditated assassination of Khashoggi, which involved drugging him, dismembering his body, and possibly suffocating him as he was incapacitated by the drugs.

Journalism is the enemy of authoritarians. Hitler called it the “Lügenpresse,” or “Lying Press.” Trump calls it “Fake News.” In Russia, the press is Putin’s own PR firm. People who demand loyalty, authority, and submission are offended when their lies are uncovered, their greed revealed, or their incompetence laid bare. Khasohggi spoke against conservative religious rule. Many Al-Jazeera journalists, though often not critical enough of extremism, also deride fascist theocratic rule. Rania Dridi, one of the hacking victims, said she believes she discusses issues like women’s rights, which may have made her a target of both Saudi Arabia and the UAE. A key tenant of these regimes, as well as many far-right regimes, is the subjugation of women. To bring international attention to human rights abuses can doom a country’s prospects for business deals and tourism.

Basically? Journalists hit these fascists with a one-two punch. First to their pride, then to their wallets. That makes the free press a target for any would-be despot.

What Lessons Can We Learn?

Release a weapon into the world, and eventually, the “bad guys” will get it. Of course, anyone looking to use it at all is likely some form of “bad guy.” Israel’s NSO Group created their Pegasus line of exploits exclusively “to tackle serious organized crime and counterterrorism only.” Instead, it ended up in the hands of people looking to silence the free press in other nations.

This is what all government-sponsored backdoors and exploits lead to, including those the FBI is demanding Apple make for them. No one is safe as long as we can’t guarantee everyone is safe.

There are some steps you can take to make your device more secure, though those techniques may not have worked here. Use a long, passcode, at least 11 digits long. Don’t use Face ID, Touch ID, or other forms of biometric security, at least not without knowing how to quickly disable it. On an iPhone, you can press and hold the volume up and lock button for a few seconds, or mash the lock button 5 times rapidly, though this will also give you a 5 second countdown while sounding an alarm before calling the police. You can also turn off iCloud or any cloud backups, and only create encrypted backups on your own machines. Finally, you can put all of your communication through secure encryption. Use something like Proton Mail for email and Signal for text messages and video chat.

Technology made to “catch bad guys” will always end up in the hands of bad guys. Your best way of protecting yourself? Speak out against laws that would make state sponsored backdoors like those the NSO Group found mandatory. Stand up for strong encryption. In the end, preventing governments from forcing these backdoors wide open is your best way to protect your device.


Sources: