How a Saudi Woman’s iPhone Exposed the World to Hacking | United States and world
By Joel Schectman and Christopher Bing
WASHINGTON (Reuters) – A single activist has helped turn the tide against NSO Group, one of the world’s most sophisticated spyware companies, which is now the subject of a cascade of lawsuits and scrutiny in Washington for new damaging allegations that its software was used to hack into government officials and dissidents. around the world.
It all started with a software problem on his iPhone.
An unusual error in NSO’s spyware has allowed Saudi women’s rights activist Loujain al-Hathloul and privacy researchers to uncover a wealth of evidence suggesting the Israeli spyware maker helped to hack into his iPhone, according to six people involved in the incident. A mysterious fake image file in his phone, mistakenly left behind by the spyware, alerted security researchers.
The discovery on al-Hathloul’s phone last year sparked a storm of legal and government action that put NSO on the defensive. How the hack was initially discovered is reported here for the first time.
Al-Hathloul, one of Saudi Arabia’s most prominent female activists, is known for helping lead a campaign to end the ban on women driving in Saudi Arabia. She was released from prison in February 2021 for undermining national security.
Shortly after her release from prison, the activist received an email from Google warning her that state-backed hackers had tried to break into her Gmail account. Fearing that his iPhone had also been hacked, al-Hathloul contacted Canadian privacy rights group Citizen Lab and asked them to probe his device for evidence, three people close to al told Reuters. -Hathloul.
After six months of digging through his iPhone recordings, Citizen Lab researcher Bill Marczak made what he described as an unprecedented discovery: a malfunction in the surveillance software implanted in his phone had left behind a copy of the malicious image file, rather than deleting itself, after stealing its target’s messages.
He said the discovery, the computer code left behind by the attack, provided direct evidence that NSO had built the spy tool.
“It was a game-changer,” Marczak said. “We caught something the company thought was elusive.”
The discovery amounted to a hacking plan and led Apple Inc to notify thousands of other state-backed hacking victims around the world, according to four people with direct knowledge of the incident.
Citizen Lab and al-Hathloul’s discovery formed the basis of Apple’s November 2021 lawsuit against NSO and it also reverberated in Washington, where US officials learned that NSO’s cyber weapon was being used to spy on American diplomats.
In recent years, the spyware industry has seen explosive growth as governments around the world purchase phone-hacking software that enables the kind of digital surveillance once the purview of a few elite intelligence agencies.
Over the past year, a series of revelations from journalists and activists, including the international journalism collaboration Pegasus Project, have linked the spyware industry to human rights abuses, fueling wider scrutiny insight from NSO and its peers.
But security researchers say al-Hathloul’s discovery was the first to provide a blueprint for a powerful new form of cyber espionage, a hacking tool that penetrates devices without any user interaction, providing proof the most concrete to date of the range of the weapon. .
In a statement, an NSO spokesperson said the company does not exploit the hacking tools it sells – “government, law enforcement and intelligence agencies do.” The spokesman did not respond to questions about the use of his software to target al-Hathloul or other activists.
But the spokesperson said the organizations making the claims were “political opponents of cyber intelligence” and suggested some of the claims were “contractually and technologically impossible”. The spokesperson declined to provide details, citing confidentiality agreements with customers.
Without giving details, the company said it had an established procedure to investigate alleged misuse of its products and that it had cut off customers over human rights concerns.
DISCOVER THE MAP
Al-Hathloul had good reason to be suspicious – it was not the first time she had been watched.
A 2019 Reuters investigation revealed that she had been targeted in 2017 by a team of American mercenaries monitoring dissidents on behalf of the United Arab Emirates under a secret program called Project Raven, which classified her as a “threat to national security” and hacked into his iPhone. .
She was arrested and imprisoned in Saudi Arabia for nearly three years, where her family say she was tortured and interrogated using information stolen from her device. Al-Hathloul was released in February 2021 and is currently banned from leaving the country.
Reuters has no evidence that NSO was involved in this earlier hack.
Al-Hathloul’s experience with surveillance and imprisonment made her determined to gather evidence that could be used against those wielding the tools, her sister Lina al-Hathloul said. “She feels she has a responsibility to continue this fight because she knows she can make a difference.”
The type of spyware that Citizen Lab discovered on al-Hathloul’s iPhone is known as zero-click, meaning the user can become infected without ever clicking on a malicious link.
Clickless malware typically deletes itself when it infects a user, leaving researchers and tech companies without a sample of the weapon to study. This can make it almost impossible to collect hard evidence of iPhone hacks, according to security researchers.
But this time it was different.
The software glitch left a copy of the spyware hidden on al-Hathloul’s iPhone, allowing Marczak and his team to obtain a virtual blueprint of the attack and evidence of who had built it.
“Here we had the crime scene casing,” he said.
Marczak and his team discovered that the spyware worked in part by sending image files to al-Hathloul via an invisible text message.
The image files tricked the iPhone into giving it access to all of its memory, bypassing security, and allowing installation of spyware that would steal a user’s messages.
The Citizen Lab discovery provided strong evidence that the cyberweapon was built by NSO, said Marczak, whose analysis was confirmed by researchers from Amnesty International and Apple, according to three people with direct knowledge of the situation.
The spyware found on al-Hathloul’s device contained code that showed it was communicating with Citizen Lab servers previously identified as controlled by NSO, Marczak said. Citizen Lab named this new iPhone hacking method “ForcedEntry”. The researchers then provided the sample to Apple last September.
Having a plan for the attack in hand enabled Apple to fix the critical vulnerability and led them to notify thousands of other iPhone users targeted by the NSO software, warning them that they had been targeted by ” state-sponsored attackers”.
It was the first time that Apple had taken this step.
While Apple determined the vast majority were targeted by NSO’s tool, security researchers also uncovered spyware from a second Israeli vendor, QuaDream, that exploited the same iPhone vulnerability. Reuters reported earlier this month. QuaDream did not respond to repeated requests for comment.
The victims ranged from dissidents critical of the Thai government to human rights activists in El Salvador.
Citing findings obtained from al-Hathloul’s phone, Apple sued NSO in November in federal court, alleging that the spyware maker violated US laws by creating products designed “to target, attack and harm people.” Apple users, Apple products and Apple”. Apple credited Citizen Lab with providing “technical information” used as evidence for the lawsuit, but did not disclose that it was originally obtained from al-Hathloul’s iPhone.
NSO said its tools have helped law enforcement and saved “thousands of lives”. The company said some of the allegations attributed to NSO software were not credible, but declined to elaborate on specific allegations citing confidentiality agreements with its customers.
Among those tipped off by Apple, at least nine US State Department employees in Uganda have been targeted by NSO software, according to people familiar with the matter, sparking a new wave of criticism against the company in Washington.
In November, the US Department of Commerce placed NSO on a trade blacklist, preventing US companies from selling the Israeli company’s software products, threatening its supply chain.
The Commerce Department said the action was based on evidence that NSO spyware was being used to target “journalists, businesspeople, activists, academics, and embassy workers.”
In December, Democratic Sen. Ron Wyden and 17 other lawmakers called on the Treasury Department to sanction NSO Group and three other foreign surveillance companies they say helped authoritarian governments commit human rights abuses. .
“When the public saw US government figures being hacked, it definitely moved the needle,” Wyden told Reuters in an interview, referring to the targeting of US officials in Uganda.
Lina al-Hathloul, Loujain’s sister, said financial blows to NSO might be the only thing that can deter the spyware industry. “It hit them where it hurts,” she said.
(Reporting by Joel Schectman and Christopher Bing; editing by Kieran Murray and Edward Tobin)