The Zero-Click Exploitation

Earlier this year, during July and August 2020, multimedia corporation Al Jazeera was subject to an attack of 36 devices led by government operatives using NSO Group’s Pegasus spyware. It is understood these were all personal phones belonging to journalists, producers, anchors, and executives, and also an Al Araby TV journalist. The breach was made utilizing an exploit chain, now known as KISMET, which initiated an invisible zero-click exploit to the personal devices’ iMessage.

NSO Group’s Pegasus spyware is a market-leading surveillance solution enabling users to remotely exploit and monitor mobile devices. Customers of NSO are predominantly global, government organizations seeking surveillance into groups like Al Jazeera’s technology. In the past, there has been controversy over NSO’s products, which in many cases has been related to surveillance abuses.

In a similar investigation that unveiled the logs of other compromised phones back in October and December 2019, NSO Group customers were able to commit a similar zero-click, zero-day exploit using KISMET.

It was reported that the government adversaries were four Pegasus operators, one which is largely associated with Saudi Arabia known as ‘MONARCHY’, and another tied to UAE, known as ‘SNEAKY KESTREL’.

zero-click exploitation

What iOS 13.5.1 & iPhone 11 users should know

Although this zero-day, zero-click attack has been committed in extraordinary circumstances, iPhone users should be wary of their vulnerability to similar device breaches. The reports on the event suggest that similar hacks can be carried out on any Apple device with at least iOS 13.5.1, and the then-newest generation iPhone 11.

Experts at Citizen Lab believe that KISMET cannot operate against iOS 14 and above, because of the enhanced security protections in Apple’s latest update. So their recommendation for any iPhone user is to update your iOS to the most recent version.

NSO’s spyware is used by thousands of organizations worldwide, combined with the vulnerability likely means there have been many more exploits of this kind.

Despite Apple patching an identified five out of six flaws, there is still an issue here for users. We reported back in August that hackers were able to gain full access to the victim’s iMessage database, which compromises the iOS sandbox and jeopardizes files hosted there. Another concern is that the code to exploit vulnerabilities is publicly available and easily executable by amateur adversaries.

Our zero-click recommendations for iPhone users moving forward

The crucial advice we offer in this circumstance for any enterprise or customer of iPhone products is to update their iOS software with immediate effect. With this type of bug still in its infancy, it’s not able to breach iOS 14 and above, so this should keep you secure for now.

If you’re a Wandera customer, we recommend you log in to RADAR, go to Security, then Threat View and click on Outdated OS to have full visibility of users who are at risk of this type of hack.

Or if you’d like to learn more about how Wandera’s seamlessly transparent security solution can protect your environment, visit our product page or request a demo.