It’s the latest sign of NSO’s ongoing efforts to create spyware that penetrates iPhones without users taking any actions that allow it in. Citizen Lab has detected multiple NSO hacking methods in past years while examining the phones of likely targets, including human rights workers and journalists.
While it is unsettling to civil rights groups that NSO was able to come up with multiple new means of attack, it did not surprise them. “It is their core business,” said Bill Marczak, a senior researcher at Citizen Lab.
“Despite Apple notifying targets, and the Commerce Department putting NSO on a blacklist, and the Israeli ministry cracking down on export licenses — which are all good steps and raising costs — NSO for the moment is absorbing those costs,” Marczak said.
Given the financial and legal fights NSO is involved in, Marczak said it was an open question how long NSO could keep finding or buying new exploits that are effective.
As NSO’s prominence has made it a symbol of government-level hacking, its repeated high-profile targeting has exposed it to researchers who are learning more of its tricks.
Working together and armed with new electronic evidence of attacks, Citizen Lab and Apple went back to old phones and found traces of other attack methods. That deeper knowledge will continue to grow, making future detections easier.
NSO spokesman Liron Bruck declined to say whether the company was behind the hacks or whether it had still more attacks that are equally effective. He faulted Citizen Lab for failing to disclose its underlying data.
“NSO adheres to strict regulation, and its technology is used by its governmental customers to fight terror and crime around the world,” Bruck said by email.
It was unclear how many people were hacked with the newly discovered methods, and Citizen Lab declined to identify the ones it knew about.
An Apple spokesman, who provided information on the condition that he not be named, said the threats affected “a very small number of our customers” and that it would continue to build more defenses into its products.
In one encouraging sign, some of the most recent attacks failed against users who had activated Apple’s recently introduced Lockdown Mode, which stops some communications from unknown callers and reduces the number of programs that are automatically invoked.
In an attack chain that used HomeKit — Apple’s framework for apps that control home lighting, temperature and other smart devices — iPhone users were warned that someone had tried to access the program but been blocked, researchers said.
Those warnings stopped showing up after a time, presumably because the attackers figured out a way to access the program without triggering the warning or because they abandoned the method.
Marczak urged other likely targets to use Lockdown Mode as well.
