Cybersecurity analysts are urgingusers to immediately update the software of their phones, computers and watches after the company issued an emergency security patch on Monday to prevent hackers from gaining access to the devices without the users knowing.
In a new report, researchers at the University of Toronto's Citizen Lab said the NSO Group, an Israeli spyware company, used what is known as a "zero-click exploit" to access the phone of an unnamed Saudi activist. Researchers at Citizen Lab called the exploit "Forcedentry'' and said it has been in use since February. They also revealed that the NSO Group's flagship "Pegasus" spyware program was used to infect the activist's device.
"Whereas typical cyberattacks require a user to engage with a malicious piece of content - such as clicking on a rogue link - zero click exploits do not require any sort of interaction with devices' owners themselves," Lisa Plaggemier, interim executive director of the National Cyber Security Alliance, told CBS News. "This means it is virtually impossible for individuals to know if they have been compromised or not," she added.
The NSO Group is well known in the cyber world and was previously funded and operated as a U.S company but later returned to Israel. Hackers have been able to install the Pegasus spyware on the target's device using zero-click exploits by either sending a message or calling the phone.
"Once installed, Pegasus allows for a variety of controls that can siphon data or activate processes, such as the camera or microphone, on iOS or Android devices," Jerry Ray, COO of the cyber firm SecureAge, told CBS News. Ray said the main difference between this exploit from the NSO Group and previous ones is the access pathway. In this instance it was a text sent via iMessage whereas previous attempts involved placing phone calls.
"Considering all of the apps that could potentially pose a weakness that could be exploited by actors like NSO Group, this could be just another decimal point update among the countless ones to come," Ray said.
Citizen Lab describes the NSO Group as a "prolific" seller of spying technology to governments around the world and says its products, including Pegasus, have regularly linked to surveillance abuses. In 2019, Citizen Lab helped WhatsApp discover a breach where at least 1,400 phones were targeted through missed voice calls. More recently, Citizen Lab said the Pegasus spyware was used to hack 36 personal phones of journalists, producers, anchors, and executives at Al Jazeera.
In a short statement to CBS News, the NSO Group said it will "continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime."
But cyber security analysts who spoke with CBS News disagreed with the framing from the NSO Group.
"Although the company says that its spyware is only available for use by licensed law enforcement groups to target terrorists and criminals, numerous questions have been raised about the veracity of this statement," Plaggemier said. "This has to serve as a huge wake-up call for device manufacturers and technology providers as a whole. Zero click threats are here and are here to stay," she added.
Apple, which offered an update to patch the security issue on Monday, credited Citizen Lab for helping the company quickly tackle the issue.
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals," Ivan Krstić, Apple's head of Security Engineering and Architecture said in a statement. "While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data," he added.
Earlier this year, Apple revealed that there are more than one billion active iPhones and more than 1.6 billion Apple devices in active use overall. While Apple says the recent vulnerability is unlikely to impact the majority of its customers, cyber security analysts say the breach is nonetheless highly cornering.
"Apple intentionally tried to prevent Pegasus from working in iOS14, and the malware still successfully exploited vulnerabilities in the software," Caroline Wong, chief strategy officer at cybersecurity firm Cobalt, told CBS News. "The breadth of this vulnerability is alarming," she added.