A forensic analysis by Amnesty International found a type of military-grade spyware was used to successfully break into journalists’ iPhones, apparently by sending iMessages that didn’t even need to be clicked.
The spyware is made by Israeli company NSO Group, a private firm that sells advanced hacking tools to clients including governments.
Amnesty International published a forensic methodology report of how it analyzed targets’ phones to discover whether they had been compromised by Pegasus.
The organization found evidence of “zero-click” iMessage attacks being targeted at journalists going back to 2018, with alarming implications for iPhone security. Zero-click attacks don’t require any interaction from the victim to break into a phone.
Amnesty said it analyzed a fully updated iPhone 12 belonging to an Indian journalist which showed signs of “successful compromise” following a zero-click attack as recently as June 16, 2021.
“These most recent discoveries indicate NSO Group’s customers are currently able to remotely compromise all recent iPhone models and versions of iOS,” the report warns.
Bill Marczak, a research fellow at the University of Toronto’s digital surveillance specialists Citizen Lab, said on Twitter the lab likewise found evidence of zero-click message attacks being used to break into the latest iPhones.
Marczak said some of the zero-click attacks exploited Apple’s ImageIO, which allows Apple devices to read and display images.
Amnesty also found evidence of a zero-click attack targeted at an Azerbaijani journalist in 2020 involving Apple Music. Amnesty said its analysis couldn’t ascertain whether Apple Music was used to infect the phone, or if the exploit began with a different app.
Amnesty said it reported its findings to Apple, which said it would investigate the matter.
The organization said NSO Group clients had previously relied on attacks that would send a malicious link to a victim, whose device would become infected once they click on it.
Apple said in a statement that the iPhone remains one of the safest consumer devices.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Apple security engineering chief Ivan Krstić said in a statement, adding that Apple prioritized security updates and that the majority of users were not at risk.
NSO Group said its software is used to fight terrorism and crime. It also said once it sells its products to customers, it does not operate them and has no insight into how they’re deployed. It was not immediately available for comment when contacted by Insider.
NSO Group has been accused previously of facilitating hacks on journalists.