Security researchers from Citizen Lab have discovered that an iPhone spying tool, Pegasus, was found on the devices of high-ranking UK officials. The victims of the attack include people from the Ministry of Foreign Affairs, but also from the Prime Minister’s Office.
All of this has been happening over the last two years, when Pegasus has been found on many devices of politicians, journalists, activists, and business people from all over the world – so this information is not so surprising.
What is new is that a forensic analysis of the attack on British officials has now revealed a hitherto unknown vector of attacks on iOS devices. It is a zero-click zero-day failure that allows the attacker to send a message to the victim – and then their spyware is created on the victim’s phone without the need for the user to click on a link or interact with any other malicious message. The attack was also discovered on the devices of Catalan activists, who were attacked at the end of 2019.
6/ WILD: while doing #Pegasus forensics, at the 11th hour on this project, @billmarczak actually discovered another NSO iOS Zero-Click 0day!
We call it #Homage
We think it stopped working by 13.2 so if you are updated, you're likely OK.
We notified @apple. pic.twitter.com/cedwp20pVb
— John Scott-Railton (@jsrailton) April 18, 2022
This new flaw, called HOMAGE, has been proven to be successful on iOS versions older than 13.2, so it is possible that it has been patched with this version of the operating system. However, Citizen Lab reported its discovery to Apple.
When it comes to the attackers, it is possible that the HOMAGE omission was used by the governments of Jordan, the United Arab Emirates, India, and Cyprus, but also Spain, when it comes to hacking the phones of activists for the independence of Catalonia.
The manufacturer of Pegasus, the Israeli NSO, does not reveal to whom it made all its spyware available.
WHAT CAN PEGASUS DO?
Pegasus spyware can be populated on Android or (more often) iOS, by sending an infected link via SMS, WhatsApp, iMessage, and some other undetected vulnerabilities. Once a user clicks on a link (or not, in the case of a “zero-click” attack), this spyware can collect almost all important data from a mobile phone: messages, emails, photos, videos, correspondence, calendar, and phonebook entries, as well as location data. In addition, it can secretly activate the camera and microphone. Everything collected is able to pass on to the attackers.
Pegasus has been around since at least 2016 and has evolved over time to make it harder and harder to detect. The latest versions are even installed only in the working memory of the device, so turning off the phone disappears every trace of it.
The method of installation has also evolved, so it can now be installed on a mobile phone wirelessly, via a compromised WiFi network, if the target is found near it. Apple has updated and patched iOS several times since the advent of Pegasus, so it is unknown at this time whether it can spy on fully updated devices with the latest iOS.
The last patch against Pegasus was applied in September last year in iOS on 14.8.
READ MORE:
- You can now iCloud Lock your AirPods
- New details about the iPhone 14 and iPhone 14 Pro
- The iPhone 14 series could come with satellite connectivity options in an emergency
- Significant improvements are coming in iOS 16
- Could the iPhone 15 arrive with a periscope camera?
- The iPhone 14 series could come with satellite connectivity options in an emergency