A logo adorns a wall on a branch of the Israeli NSO Group company, near the southern Israeli town of Sapir, Tuesday, Aug. 24, 2021.

Cybersecurity expert: Israeli spyware company NSO Group poses ‘a serious threat to phone users’

John Scott-Railton, a senior researcher with The Citizen Lab in Canada who discovered the Apple iPhone breach with his colleagues, joined The World’s host Carol Hills to talk about the international spyware marketplace that fosters these kinds of exploits.

The World

A massive security flaw was discovered in Apple’s iPhone this week — and it’s a biggie. The phones could be broken into without the user doing anything to trigger the hack. Without even a click, your information could be at risk.

That news left iPhone users scrambling to update their devices. It was security researchers at the The Citizen Lab at University of Toronto who realized that spyware from an Israeli cybersurveillance company known as NSO Group was behind it.

Related: Security flaw exposed in Germany, followed by criminal investigation

Apple quickly released a critical software patch to fix a security vulnerability that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action.

Citizen Lab researchers said the security issue was exploited to plant spyware on a Saudi activist’s iPhone. 

The previously unknown vulnerability affected all major Apple devices — iPhones, Macs and Apple Watches, the researchers said. NSO Group responded with a one-sentence statement saying it will continue providing tools for fighting “terror and crime.”

Related: Biden and Putin both place a ‘high priority’ on cybersecurity

It was the first time a so-called “zero-click” exploit — one that doesn’t require users to click on suspect links or open infected files — has been caught and analyzed, the researchers said. They found the malicious code on Sept. 7, and immediately alerted Apple. The targeted activist asked to remain anonymous, they said.

John Scott-Railton, a senior researcher with The Citizen Lab in Canada who discovered the breach with his colleagues, joined The World’s host Carol Hills to talk about the international spyware marketplace that fosters these kinds of exploits. 

Related: US agencies hacked in monthslong global cyberspying campaign

Carol Hills: John, how exactly did you and Citizen Lab discover the vulnerability in the iPhone software? 
John Scott-Railton: So, we were looking at the telephone of a Saudi activist and that phone was infected with a sophisticated piece of spyware. The spyware was made by an Israeli cybersecurity firm and mercenary hacking company called NSO Group. And NSO Group claims that it sells spyware to governments so they can track criminals. However, for the past five years, their spyware keeps showing up in cases where activists, journalists and human rights defenders are being hacked.
Were you able to figure out who had used that spyware? Had a government, bought it, like the Saudi government? 
So at this time, we’re not attributing the spyware to a particular NSO customer. What happened last week is that we were examining a backup that we had collected back in March of this activist’s phone. We discovered some suspicious files and it turned out that those files, although they appeared to be GIFs, were actually malware and exploit payload. And what they would do is turn that phone into a spy in the activist’s pocket. As soon as we spotted those files, we had a sense that we knew what we were looking at. We then shared them with Apple. And in less than a week, Apple moved to quickly figure out the vulnerability and push out an update to all Apple devices.
Will you eventually be able to figure out who was behind putting that in the Saudi activist phone?
One of the things that’s important to realize here is that this is a spyware and an industry that is built around concealing itself from attribution and as a result, hiding from accountability. And it’s cases like this that highlight both how seriously companies like Apple take the threat to their bottom line, but also the extent to which the industry needs to be exposed and needs to be called out and needs to be responded to. Now, some people have said, well, should I be concerned? I’m not a dissident. I’ve never criticized an autocrat. And the truth is, with respect to exploits, they may be used by a small number of people in the first year. But after that, who knows? Exploits have a bad habit of being used by an ever-widening circle of bad actors until they’re being used by cybercriminal groups to target people just like you or me.
Now, has Apple’s response been effective? Will what they issued for people to fix this really work?
Apple has moved quickly to close the specific exploit that NSO was using in this case. But the spyware industry is built around always having some exploits in reserve. And so, while this particular technique for gaining access to people’s phones is gone, NSO itself remains a serious threat to phone users.
Will NSO Group suffer any penalties?
NSO is certainly forging ahead to make more spyware. They are doing their best to hire former administration officials in the US, and otherwise slosh their money around in an effort to keep their business going and growing. It’s pretty clear that the tech sector is fed up with NSO Group at this point, and I think a lot of people are now looking to the government for some kind of help. And it’s an interesting coincidence that yesterday, in an indictment the Department of Justice released against three Americans, former intelligence community members, helping the UAE government build hacking capabilities, the Department of Justice explicitly called out the international spyware marketplace and pointed out that that unregulated marketplace is causing global harm. 
That’s an interesting case about these three former intelligence and military officials. How did that case move to a point where they could be charged? 
Well, this is a really interesting case. So a couple of years ago, Reuters reported on the existence of something called Project Raven, which, in a nutshell, was a group of former US intelligence and military officials who had gone to the United Arab Emirates and were helping them stand up a hacking capability. At the time, it was a scandal, but it pointed to something deeper, which is, there is a marketplace for former intelligence operatives to go and sell the contents of their brains to other regimes and to help those regimes leapfrog into the ability to hack at a nation-state level. This was obviously a really concerning case and if you read the charge documents, it seems pretty clear that what was going on is these people were giving the UAE things that they had learned and things which the US government alleges were protected by export regulations. What’s interesting about that case is that it is a tip of the iceberg in terms of the marketplace of former officials turning around and monetizing the knowledge that they gained protecting the US. The harm that those people are causing is very concrete. In the case of Project Raven, the targets included activists and dissidents, but also US citizens.
And my final question has to be, you know, there’s about a billion-plus people with iPhones. Should all of us go and find the update? 
Everyone should update. And you should update for a couple of reasons. First, there is no way to protect yourself against this kind of spyware, short of doing your updates. But secondarily, we really have to send a message to players like NSO Group: “It’s not OK to find this kind of thing and turn it into a tool to be used to target dissidents and truth-tellers,” even though you may not think of yourself as the kind of person that an autocrat is going to be interested in. Think about what you’re doing as increasing our group immunity against shady companies like NSO Group. 

This interview has been edited and condensed for clarity. AP contributed to this report. 

Less than .05% of listeners will donate. Can we count on you?

Our coverage reaches millions each week, but only a small fraction of listeners contribute to sustain our program. We still need 224 more people to donate $100 or $10/monthly to unlock our $67,000 match. Will you help us get there today?