Researchers at the University of Toronto’s Citizen Lab have discovered a hacking tool dubbed “Kismet” which can bypass the security on an iPhone by sending a message via iMessage which the victim doesn’t need to click on. While the first confirmed uses of this malware were this summer, Citizen Lab claims that logs from compromised phones show the same or similar zero-click, zero-day exploit in use as far back as October 2019.
The research shows that Kismet is in use by Israeli company NSO Group, and has been sold to unnamed clients who used it to spy on journalists working for Al Jazeera, although detections indicate that at least 25 countries may be using the software. According to Citizen Lab, NSO Group also provided its clients another piece of software called Pegasus, which was uploaded to the compromised phones. Once installed, it had the ability to track location, access passwords and stored credentials, record audio from the microphone including encrypted phone calls, and take pictures via the phone’s camera.
Citizen Lab noted that the vulnerability appears to have been fixed with Apple IOS 14, but reiterated that previous versions remain vulnerable. In a statement, an Apple spokeperson said “the attack described in the research was highly targeted by nation states against specific individuals. We always urge customers to download the latest version of the software to protect themselves and their data.”
NSO Group said its products are for tackling “serious organized crime and counter-terrorism” and any evidence of a serious breach of its policies would be investigated, adding “we do not have access to any information with respect to the identities of individuals our system is used to conduct surveillance on.”
This is not the first instance of NSO Group supplying exploits to iPhone, a previous malware known as Karma which employs the same zero-touch ability was acquired by UAE Intelligence in 2016 via cybersecurity firm DarkMatter. NSO Group is also involved in litigation with Facebook over having supplied a similar software that exploited WhatsApp.
The E-ISAC will continue to monitor this situation and provide relevant updates when necessary. If you have any questions or comments, please reach out to us at firstname.lastname@example.org or at 202-790-6000. Members and partners are encouraged to share information via the E-ISAC Watch at operations[@]eisac.com [mailto:operations[@]eisac.com], posting appropriate information on the E-ISAC Portal, or calling 202-790-6000 (24/7).
- Canadian CERTs
- CRISP - Cyber Risk Info Sharing Program
- DHS - NICC, NCCIC, US-CERT, etc
- DOE Complex
- E-ISAC AOO Members
- E-ISAC Staff
- FBI, LE Fusion
- FERC - OEIS, etc
- International (other ISACs, CERTs)
- Other (inc. local/state commissions)
- Trade Organizations
- Watch Floor
- Admin, 01/13/2021