WASHINGTON, (Reuters) – A flaw in Apple’s software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.
QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients.
The two rival businesses gained the same ability last year to remotely break into iPhones, according to the five sources, meaning that both firms could compromise Apple phones without an owner needing to open a malicious link. That two firms employed the same sophisticated hacking technique – known as a “zero-click” – shows that phones are more vulnerable to powerful digital spying tools than the industry will admit, one expert said.
“People want to believe they’re secure, and phone companies want you to believe they’re secure. What we’ve learned is, they’re not,” said Dave Aitel, a partner at Cordyceps Systems, a cybersecurity firm.
Experts analyzing intrusions engineered by NSO Group and QuaDream since last year believe the two companies used very similar software exploits, known as ForcedEntry, to hijack iPhones.
An exploit is computer code designed to leverage a set of specific software vulnerabilities, giving a hacker unauthorized access to data.
The analysts believed NSO and QuaDream’s exploits were similar because they leveraged many of the same vulnerabilities hidden deep inside Apple’s instant messaging platform and used a comparable approach to plant malicious software on targeted devices, according to three of the sources. read more…