Second Israeli firm accused of undermining iPhones, like NSO Group

As if recent revelations about NSO Group weren’t bad enough, yet another Israeli firm — QuaDream — has now been accused of using the same hack to undermine iPhone security.

QuaDream also used the hack, Reuters claims

A Reuters report has the details:

• QuaDream made use of the same flaw to commit similar attacks against iPhones.
• The company is smaller than NSO Group, but also sells smartphone hacking tools to governments.
• Both companies used the same highly sophisticated “zero-click” ForcedEntry attack, which enabled them to remotely break into iPhones without an owner needing to click a malicious link.
• Once deployed, attackers using the software could access messages, intercept calls, and use the device as a remote listening device. They also gained access to the camera and more.
• Apple closed this vulnerability in September 2021.
• It is believed NSO Group software was used to target the family of murdered Saudi journalist Jamal Khashoggi.

The news follows the revelation that the FBI also obtained NSO’s Pegasus spyware, but claims it did not use it. That  also follows another recent claim that NSO Group offered “bags of cash” in exchange for access to US cellular networks via the SS7 network.

Apple’s response so far

While we don’t know if Apple is aware of the actions of QuaDream, how it responded to the NSO Group attack may be instructional. Apple closed the ForcedEntry vulnerability soon after it was revealed. The company later filed a lawsuit against NSO Group saying the Israeli firm violated Apple’s terms of use.

Apple pulled no punches in its suit, which said:

“Defendants are notorious hackers — amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.”

Ivan Krstić, head of Apple Security Engineering and Architecture, said:

“Our threat intelligence and engineering teams work around the clock to analyze new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon. Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users fromabusivestate-sponsored actorslike NSO Group.”

With that promise in mind, it’s easy to imagine Apple will now litigate against QuaDream for its abuse of the same vulnerability.

What these attacks are for

These attacks aren’t cheap. Reuters cites prices of $2 million and above for access to them. That expense implies most users needn’t worry at this time, particularly as Apple has now patched this vulnerability.

Sadly, this does not mean criminal and state-sponsored hackers won’t abuse other so-far-unknown ways to break into your digital lives. (They may be doing so already.)

For now, Apple is warning users it identifies as having been hit by these hacks. Some of those affected include Israeli citizens, US diplomats, journalists, dissidents, and opposition leaders in nations around the world.

“Mercenary spyware firms like NSO Group have facilitated some of the world’s worst human rights abuses and acts of transnational repression, while enriching themselves and their investors,” said Ron Deibert, director of the Citizen Lab at the University of Toronto.

NSO Group and an Israeli firm called Candiru have now been banned in the US. We don’t know if QuaDream will be added to that list, but there are many other firms that also should be constrained.

What you can do

The problem with attacks of this kind is that they are highly sophisticated, highly targeted, and, by their nature, hard to spot. They use unknown vulnerabilities to break into a device, and then try to take control of those devices. Until the attack is identified, security researchers and platform providers remain unaware that a flaw exists, so they cannot protect against it.

This is why Apple is contributing $10 million to support security research and (I imagine) will probably increase that investment moving forward.

Since the NSO Group attack was disclosed, Apple now provides threat notifications. So if it spots activity it sees as consistent with a state-sponsored attack, it will send the user who has been attacked an email, an iMessage, and a notification on that person’s Apple ID page.

When it comes to general security tips, Apple’s current advice is to:

• Update devices to the latest software, which include the latest security fixes.
• Protect devices with a passcode.
• Use two-factor authentication and a strong password for Apple ID.
• Install apps from the App Store.
• Use strong and unique passwords online.
• Don’t click on links or attachments from unknown senders.

It is important to note that any move to permit side-loading of apps on Apple’s platforms will undermine this security and make it easier for groups such as NSO Group or QuaDream to break into your iPhone.

Finally, if you think your device has been affected, one (not at all ideal) solution might be to return your device to factory settings and make use of a temporary SIM and a backup Apple ID pending review of your original files.

Stay safe out there.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.