The iPhone software flaw Israeli surveillance firm NSO Group used to develop Pegasus was exploited by a second company, QuaDream. It’s a smaller, lower-profile company in the same line of business, according to people familiar with the situation. This means there’s potentially a second Pegasus out there, ready to spy on vulnerable iPhones.
The Zero-Click ForcedEntry Exploit Used by Both
Both QuaDream and NSO Group used similar hacking techniques to break into the iPhone. The zero-click method, which will open up a device to snoopers even if the user doesn’t tap or click anything, shows how vulnerable our smartphones really are to digital spying tools, according to one expert.
Five people went to Reuters with details about QuaDream’s accomplishment. Also based in Israel like NSO Group, QuaDream apparently found the iOS and iPadOS flaw at about the same time as NSO Group.
The analysts say they think both exploits are similar, because both strike at the same vulnerabilities hidden within iMessage. Both hacks also use the same basic approach to inject malicious spying software on the devices, according to three of the sources.
If Your iPhone Is Up-to-Date, No Need to Worry About Second Pegasus
Since both exploits seem to target the same flaw, there’s some good news here. The patch Apple released in September 2021 plugs the hole in iMessage. That means that as long as your iPhone has the most current security updates, you’re safe from both spy firms.
That doesn’t mean we should let our guards down completely, though. Dave Aitel, one of the principals behind cybersecurity firm Cordyceps Systems, told Reuters, “People want to believe they’re secure, and phone companies want you to believe they’re secure. What we’ve learned is, they’re not”.
Spyware companies claim they sell their technology to help governments deal with national security threats. The truth of the matter, though, is that human rights groups and journalists have documented the full impact of these exploits. Attackers commonly use them to undermine political opposition, interfere with elections, and even attack civil society.
The problems associated with these companies has gotten so severe that Apple notified thousands of ForcedEntry targets in November 2021. These included elected officials, journalists, and even human rights workers.