Luxembourg-linked firm NSO used zero-click hacking, study claims
Hackers can access Apple products without the user clicking on any links in a so-called "zero-click" attack, a new method which has reportedly been deployed by controversial Luxembourg-linked spyware company NSO Group, according to an investigation by researchers in Canada.
The US tech giant issued an urgent software update on Monday, after it was revealed that the hacking technique, known as Forcedentry, has been used since at least February this year, according to a report from researchers at the University of Toronto's CitizenLab.
Luxembourg-linked NSO Group's spyware Pegasus is reported to have used the method on behalf of clients, the researchers said.
CitizenLab analysed the device of a Saudi activist who wanted to stay anonymous, and found hackers can secretly access Apple iPhones, MacBooks and Apple Watches via iMessage.
In reaction to the report, Apple issued a urgent software update on Monday evening to close the loophole that would allow spyware to enter the phones through a "zero-click attack", meaning that it can invade phones and obtain data without the user needing to click anything.
After accessing the phone, the spyware can then record via camera and microphone and send messages and user details, including location, back to the Pegasus client using NSO software.
The technique leaves a bug on the devices that the researchers have only ever seen in connection with NSO. "We believe that the bug is distinctive enough to point back to NSO", CitizenLab, which revealed similar techniques in 2019 and 2020 using iMessage and WhatsApp, said on its website on Monday.
"NSO Group will continue to provide intelligence and law enforcement agencies around the world", NSO said in an email on Tuesday without addressing the allegations.
NSO Group was in the spotlight in July after a consortium of international media outlets revealed that numerous activists, journalists, lawyers and dissidents had allegedly been targeted by governments around the world using the spyware. At the time, NSO dismissed the allegations and issued a statement that they would stop responding to media inquiries.
NSO have repeatedly said that governments use its software to fight terrorism and serious crimes such as human trafficking and that they would take any allegation of misconduct seriously.
Whilst NSO Group is also Israel-based, in the wake of the media reports in July Luxembourg's Foreign Minister Jean Asselborn conceded that nine NSO entities were based in the country, after initially saying there were only two, and that Luxembourg would need to take action if a link was shown.
Asselborn sent letters in July to the companies saying the country strictly enforces all export control obligations and to remind them of their human rights duties.
An Amnesty International study from June, reported by the Luxembourg Times, revealed the shadowy structure of the spyware firm, with multiple entities present in the Grand Duchy.
Luxembourg-based Q Cyber Technologies "acts as a commercial distributor for the products of the Group companies, as such it signs contracts, issues invoices and receives payments from Group customers", NSO Group said in response to Amnesty's enquiries at the time. However, Luxembourg has said that it has never issued an export licence to the company.
Researchers at CitizenLab have previously alleged the software was used by Saudi Arabia to spy via WhatsApp on dissident Saudi Arabian journalist Jamal Khashoggi before his 2018 murder.
The Grand Duchy has also said it is not up to the country to investigate the Khashoggi link as it is an Israel-based firm. However, a company document dating back to 2019 described NSO Group as a "cyber-technology company headquartered in Luxembourg".