December 20, 2020 – In a report published today, researchers at the Citizen Lab reveal that four government operators used NSO Group’s “Pegasus” spyware to hack at least 36 phones belonging to journalists, producers, anchors and executives at the Al Jazeera news organization. The phone of a journalist at the London-based news organization, Al Araby TV  was also hacked. The incident was reported today by Al Jazeera journalist Tamer Almisshal, one of the victims, on his investigative program ما خفي أعظم (“what is hidden is greater”).

The Citizen Lab said the phone hacking was undertaken by four separate government operators, including Saudi Arabia and the United Arab Emirates (UAE). Al Jazeera is headquartered in Qatar, a country which has been involved in a series of lengthy and contentious diplomatic and political disputes with Saudi Arabia, the UAE, and other Gulf and Middle East countries.

Citizen Lab determined that the phones were compromised using an exploit chain that they call “KISMET” which appears to involve an invisible zero-click exploit in iMessage. The researchers concluded that the zero-click exploit is effective against releases up to iOS 13.5.1 and could have been used to hack Apple’s then-latest iPhone 11. Citizen Lab has not seen any evidence that the exploits work against iOS 14, which includes new security protections. The Citizen Lab advises all iOS device owners to immediately update to iOS 14. The Citizen Lab disclosed their findings to Apple which is currently investigating the issue.

Researchers at the Citizen Lab explain that this particular set of attacks is especially disturbing, as it shows more evidence that NSO Group appears to be shifting towards “zero-click” exploits and network based attacks that allow its government clients to break into phones without any interaction from the target and without leaving any visible traces for researchers to spot.

Citizen Lab senior researcher, Bill Marczak, who led the investigation, said: “The digital security practices of the targets and their organizations are of the highest order. But no amount of diligence can prevent a hack like this. The scary thing is that any journalist or dissident who catches the eye of some intelligence agency could get invisibly hacked and never notice anything at all.”

The Citizen Lab’s report also underlines how such targeting using these methods increases the likelihood of abuses. By employing ‘zero-click’ hacking methods, spyware companies are better able to obfuscate their activities, operate unimpeded in the global surveillance marketplace, and thus facilitate the continued abuse of human rights while evading public accountability.

Considering that NSO Group has a global customer base, Citizen Lab researchers believe the hacking operations reported today are only a minuscule fraction of the targeting that took place against iOS devices using the KISMET exploit.

Although NSO Group markets its surveillance technology as a tool used by government operators to investigate serious matters of public safety, the hacking of dozens of journalists, producers, and others at news organizations provides yet more evidence of how easily such technology can be abused in the absence of legal and other restraints.

In 2019, the U.N. Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression called for a global moratorium on the sale and transfer of this type of technology, “until rigorous human rights safeguards are put in place to regulate such practices and guarantee that governments and non-State actors use the tools in legitimate ways.”

The research for this report was undertaken as part of the Citizen Lab’s ongoing investigations into targeted digital espionage against global civil society, more details about which can be found here.

Title: The Great iPwn: Journalists Hacked with Suspected “Zero-Click” NSO Group Exploit
Authors: Bill Marczak, John Scott-Railton, Noura Aljizawi, Siena Anstis, Ron Deibert
Published by: The Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto
Publication Date: Sunday December 20, 2020

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.