Israeli digital surveillance for hire giant NSO Group reportedly deployed at least three new attacks last year targeting human rights workers and other members of civil society spread out around the world using Apple devices. All of those “zero-click” exploits, according to new research from The Citizen Lab, could tap NSO into a victim’s device without them ever having to click a dirty link or any interaction by the target. Though the new attacks highlight NSO’s continued effort to crack Apple products, there is a silver lining: Apple’s recently enabled “Lockdown Mode” appeared to successfully fend off some of the attacks.
The newly identified zero-click attacks affected an unknown number of targets using devices running iOS 15 or iOS 16 and at least two human rights defenders in Mexico. Two of the new exploits mentioned in the report targeted iPhone’s FindMy feature, while another exploited Apple’s iPhone’s HomeKit and iMessage functionalities. The last exploit affecting HomeKit could reportedly work even if a target had never actually configured a “home.”
An Apple spokesperson said the exploits discovered by Citizen Lab only affected “a very small number of customers,” and that the company has rapidly issued patches to address the discovered vulnerabilities.
“We take any attack on our users extremely seriously and we continue to build more defenses into our products,” the Apple spokesperson told Gizmodo. “We are pleased to see that Lockdown Mode disrupted this sophisticated attack and alerted users immediately, even before the specific threat was known to Apple and security researchers.”
NSO bills itself as a crime-fighting tool used by law enforcement to combat terrorism but has garnered international criticism for its willingness to sell its notorious Pegasus spyware to authoritarian regimes, which include Bahrain, the United Arab Emirates, India, and Hungary to name just a few. The company, which some critics have derided as “amoral 21st-century mercenaries,” has reportedly sold software that’s been used to target journalists, human rights advocates, children, and even some political leaders.
NSO did not immediately respond to Gizmodo, but a spokesperson for the company told The Washington Post they believed Citizen Lab should disclose more of its data. The spokesperson didn’t address the issue of alleged spying on human rights workers.
“NSO adheres to strict regulation, and its technology is used by its governmental customers to fight terror and crime around the world,” the spokesperson said.
Apple’s Lockdown Mode worked
Apple released its Lockdown Mode last Fall specifically as a tool to protect users against NSO-styled invasive software attacks. When enabled, the mode blocks most types of message attachments and incoming invitations and requests if the device’s user has not already scheduled them. Lockdown mode, which Apple described as an “extreme, optional level of security for the very few,” was designed to act like a digital moat for journalists, diplomats, and other likely targets of coordinated malware attacks.
The new Citizen Lab research claims Lockdown Mode successfully blocked one of the three new NSO exploits. Users who had Lockdown Mode enabled reportedly received a notification on their phone saying the tools had prevented a bad actor from trying to access the device’s Home App. Citizen Lab researcher Bill Marczak told TechCrunch those successful blocks mark a huge win for the feature and Apple though it’s unclear how many users actually know to enable it in the first place.
“The fact that Lockdown Mode seems to have thwarted, and even notified targets of a real-world zero-click attack shows that it is a powerful mitigation, and is a cause for great optimism,” Marczak said “But, as with any optional feature, the devil is always in the details. How many people will opt to turn on Lockdown Mode? Will attackers simply move away from exploiting Apple apps and target third-party apps, which are harder for Lockdown Mode to secure?”
NSO, despite a worsening financial and political situation, nonetheless looks like it’s getting better at evading detection by researchers. Unlike previous versions of its Pegasus software, Citizen Lab says the recently discovered exploits, “more thoroughly remove data from various iPhone log files,” which they interpret as an effort to evade detection and thwart researchers’ understanding of compromised device vulnerabilities.