iPhone flaw exploited by second Israeli spyware firm

WASHINGTON • A flaw in Apple's software exploited by Israeli surveillance firm NSO Group to break into iPhones last year was simultaneously abused by a competing company, according to five people familiar with the matter.

QuaDream, the sources said, is a smaller and lower-profile Israeli firm that also develops smartphone hacking tools intended for government clients.

The two rival businesses gained the same ability last year to remotely break into iPhones, according to the five sources, meaning that both firms could compromise Apple phones without an owner needing to open a malicious link.

That two firms employed the same sophisticated hacking technique, known as a "zero-click", shows that phones are more vulnerable to powerful digital spying tools than the industry will admit, one expert said.

"People want to believe they're secure, and phone companies want you to believe they're secure. What we've learnt is, they're not," said Mr Dave Aitel, a partner at Cordyceps Systems, a cyber-security firm.

Experts analysing intrusions engineered by NSO Group and QuaDream since last year believe the two companies used very similar software exploits, known as ForcedEntry, to hijack iPhones.

An exploit is computer code designed to leverage a set of software vulnerabilities, giving a hacker unauthorised access to data.

The analysts believed that NSO's and QuaDream's exploits were similar because they leveraged many of the same vulnerabilities hidden deep inside Apple's instant messaging platform and used a comparable approach to plant malicious software on targeted devices, according to three of the sources.

Mr Bill Marczak, a security researcher with digital watchdog Citizen Lab who has been studying both firms' hacking tools, said QuaDream's zero-click capability seemed on a par with NSO's.

Reuters made repeated attempts to reach QuaDream for comment, sending messages to executives and business partners. A Reuters journalist last week visited its office but no one answered the door.

Israeli lawyer Vibeke Dank, whose e-mail address was listed on QuaDream's corporate registration form, also did not return repeated messages.

An Apple spokesman declined to comment on QuaDream or say what, if any, action they planned to take with regard to the company.

ForcedEntry is viewed as "one of the most technically sophisticated exploits" ever captured by security researchers.

So similar were the two versions of ForcedEntry that when Apple fixed the underlying flaws last September, it rendered both NSO's and QuaDream's spy software ineffective, according to two people familiar with the matter.

In a written statement, an NSO spokesman said the firm "did not cooperate" with QuaDream but "the cyber intelligence industry continues to grow rapidly globally".

Apple sued NSO over ForcedEntry in November, claiming its user terms and services agreement had been violated.

In its lawsuit, which is still in its early stages, Apple said it "continuously and successfully fends off a variety of hacking attempts".

NSO has denied any wrongdoing.

Spyware companies have long argued that they sell high-powered technology to help governments thwart national security threats.

But human rights groups and journalists have repeatedly documented the use of spyware to attack civil society, undermine political opposition, and interfere with elections.

Apple notified thousands of ForcedEntry targets in November, making elected officials, journalists, and human rights workers around the world realise they had been placed under surveillance.

In Uganda, for example, NSO's ForcedEntry was used to spy on United States diplomats, Reuters reported.

In addition to the Apple lawsuit, Meta's WhatsApp is also going to court over the alleged abuse of its platform. In November, NSO was put on a trade blacklist by the US Commerce Department over human rights concerns.

Unlike NSO, QuaDream has kept a lower profile despite serving some of the same government clients. The company has no website touting its business and employees have been told to keep any reference to their employer off social media, according to a person familiar with the company.

QuaDream was founded in 2016 by former Israeli military official Ilan Dabelstein and former NSO employees Guy Geva and Nimrod Reznik, according to Israeli corporate records and two people familiar with the business.

Like NSO's Pegasus spyware, QuaDream's flagship product - called Reign - could take control of a smartphone, scooping up instant messages from services such as WhatsApp, Telegram, and Signal, as well as e-mail messages, photos, texts and contacts, according to two product brochures from 2019 and 2020 which were reviewed by Reuters.

Reign's "premium collection" capabilities included real-time call recordings, camera activation (front and back) and microphone activation, one brochure said.

Prices appeared to vary. One QuaDream system, which would have given customers the ability to launch 50 smartphone break-ins a year, was being offered for US$2.2 million (S$3 million) exclusive of maintenance costs, according to a 2019 brochure.

REUTERS