The dreaded “zero-click” iOS vulnerability from NSO Group made headlines in 2021 as it attackers to gain access to an iOS-powered endpoint without the user’s involvement.
But it now seems NSO wasn’t the only company that managed to pull off what Google reseachers described as a “incredible and terrifying” hack, as Reuters claims that at approximately the same time, another (but lesser-known) Israeli-based company, QuaDream, achieved the same goal.
Researchers who analyzed the methodology of both companies have said they were very similar to one another, right down to the fact that once Apple patched up NSO’s vulnerability, it also rendered QuaDream’s one useless.
Zero-click iOS exploits
The NSO Group (an Israeli technology firm primarily known for its proprietary spyware) designed an attack mechanism “against which there is no defense,” as no mobile antivirus would be able to spot it.
Also known as a “zero-click” exploit, it’s just as it sounds – the victim doesn’t even need to click anything in order to be compromised, to have its data, or its identity, stolen. Basically, all it needs to do is receive an SMS message via Apple’s iMessage service.
The attack methodology itself is rather complex, and involves “fake” gifs, CoreGraphics PDF parsers, the JBIG2 codec, and an entirely “new” computer architecture that is “not as fast as Javascript, but it’s fundamentally computationally equivalent”.
The vulnerability is logged as CVE-2021-30860, and has been fixed on September 13, 2021 in iOS 14.8. Apparently, there’s also an Android version, but the researchers are yet to get a sample.
Once the cat was out of the bag, the US Government blacklisted NSO, claiming it develops tools used against civilians, something NSO not only denied, but further stated that it works to “support US national security interests and policies by preventing terrorism and crime.”
AWS also banned NSO, Apple filed a lawsuit, which was later backed by pretty much every notable tech company in the States.
NSO says the work wasn’t a team effort, and QuaDream could not be reached for comment.
