A new report into the NSO Pegasus spyware scandal this week has revealed the whole operation was uncovered because of a single fake image file that was accidentally left on the phone of an activist.
From Reuters:
A single activist helped turn the tide against NSO Group, one of the world’s most sophisticated spyware companies now facing a cascade of legal action and scrutiny in Washington over damaging new allegations that its software was used to hack government officials and dissidents around the world.
It all started with a software glitch on her iPhone.
According to the report, Saudi activist Loujain al-Hathloul received an email from Google alerting her to an attempt to gain access to her Gmail account by state-sponsored hackers. In response, she gave her iPhone to the Canadian privacy group Citizen Lab, who scoured it for six months to try and find any other evidence of unwanted surveillance. This led to the discovery of a single fake image file accidentally left behind by surveillance malware that confirmed NSO was behind the spyware:
After six months of digging through her iPhone records, Citizen Lab researcher Bill Marczak made what he described as an unprecedented discovery: a malfunction in the surveillance software implanted on her phone had left a copy of the malicious image file, rather than deleting itself, after stealing the messages of its target.
Marczak said the find was “a game changer”, and the report goes on to say its discovery “led to a hacking blueprint and led Apple Inc to notify thousands of other state-backed hacking victims around the world.” In more detail:
The Citizen Lab discovery provided solid evidence the cyberweapon was built by NSO, said Marczak, whose analysis was confirmed by researchers from Amnesty International and Apple, according to three people with direct knowledge of the situation.
The spyware found on al-Hathloul’s device contained code that showed it was communicating with servers Citizen Lab previously identified as controlled by NSO, Marczak said. Citizen Lab named this new iPhone hacking method “ForcedEntry.” The researchers then provided the sample to Apple last September.
This blueprint meant Apple could not only fix the vulnerability but also alert thousands of iPhone users they had been targeted by state-sponsored attacks. Apple sued NSO in November in the U.S. over the incident. NSO group told Reuters in a statement that some organizations making the claims were political opponents of cyber intelligence and that some of the claims were “contractually and technologically impossible.”
You can read the full report here.
