No matter what the President of the United States, Joseph R. Biden Jr., said, the NSO Group is still here; the privatized spying service produced no-click exploits against iOS 15 and iOS 16 last year, according to the latest report from Citizen Lab.
This also suggests that lockdown mode is effective against such attacks.
A trio of exploits used in a complex way.
The report reflects what Citizen Lab learned while investigating attacks against Mexican human rights defenders. The researchers conclude that the NSO group, dubbed "mercenary hackers" by Apple, extensively used at least three no-click exploits in Apple's iPhone operating systems against civil society targets around the world. NSO Group is the infamous company that created the Pegasus tool used to spy on people.
The use of these surveillance tools in Mexico is problematic, given the country's long history of human rights violations, which extends to extrajudicial killings and enforced disappearances.
Citizen Labs exploits were used against human rights defenders representing the families of 43 kidnapped students, and at least one targeted person appears to have been targeted with NSO Group spyware on numerous occasions, according to the report.
The investigation identifies three attacks, dubbed "PWNYOURHOME", "FINDMYPW", and "LATENTIMAGE". It also appears that NSO Group is engaging in increasingly complex attack mechanisms in its attempt to subvert civil society targets around the world.
For example, PWNYOURHOME was a two-step no-click exploit where each step targets a different process on the iPhone. The first step was aimed at HomeKit; the second directed iMessage. Security researchers shared their findings with Apple, and the company released critical HomeKit security improvements in iOS 16.3.1.
mercenaries want to hide
Lockdown mode seems to provide quite effective protection against such vulnerabilities. Citizen Lab says that devices in this mode initially received warnings if the PWNYOURHOME hack was used against the device, although this is no longer the case, illustrating the ongoing cat-and-mouse battle between platform providers and criminal groups. wealthy mercenaries.
The researchers warn:
“We continue to observe what we interpret as concerted efforts by the NSO group to evade detection by the methods deployed by investigators. For example, unlike previous versions of Pegasus, versions due for release in 2022 appear to more completely remove data from various iPhone log files, in an apparent attempt to prevent researchers from understanding the nature of the vulnerabilities being found. they exploit to compromise phones and escape detection. ."
What to do to protect yourself
It is worrying, but perhaps not surprising, how NSO Group and other surveillance service providers continue to use their exploits against human rights defenders. It is also worrying that the group is transforming their attacks into multi-stage attacks.
In response, Citizen Lab encourages developers to think more deeply about device security and "treat all surface accessible through a single identifier as a single surface." In technology, just like in the real world, no one is safe until everyone is safe. .
Another recommendation is to continue obfuscating devices to make them difficult to trace and make it even more difficult for attackers to run arbitrary code on them. “We strongly recommend all at-risk users to enable lockdown mode on their Apple devices. Although there is some cost to using the feature, we believe the cost may be offset by the increased costs incurred by attackers,” Citizen Lab said.
Amoral mercenary hackers like NSO Group remain a major threat to businesses and civil society wherever their tools are used. The annoying fact about these exploits is that these tools are finally available on the dark web, and once they do, they threaten all users. The NSO Group is not unique. Israel appears to have spawned several of these groups, including the more secretive QuaDream that came to light last week.
It is also a fact that Apple works very hard to protect users against these types of attacks. An Apple spokesperson promised: "Our security teams around the world will continue to work tirelessly to advance Lockdown Mode and strengthen security and privacy protections in iOS."
With that in mind, the most appropriate course of action is to make sure that you and your coworkers install all security patches from Apple as soon as they are available.
If you are a high-risk person who feels susceptible to attack, you should use lockdown mode, as the cost and consequences of an attack can far outweigh the inconvenience. After all, the risk of such attacks is that data extracted from people's devices can be abused, used to create unfair commercial advantage, and even result in loss of life.
It is an industry that needs to be mastered.
Follow me on Mastodon or join me at AppleHolic's bar & grill and Apple discussion groups on MeWe.
Copyright © 2023 IDG Communications, Inc.