Invisible 'Kismet' iMessage exploit used to hack journalists' iPhones

A group of 37 journalists has fallen prey to an iMessage vulnerability, one that has existed for a year, enabling bad actors supposedly working for governments to spy on the journalists' activities.

A report from the University of Toronto's Citizen Lab claims to have uncovered an operation that took place during July and August of 2020, one conducted by government operatives. The campaign attacked 37 iPhones owned by journalists, producers, anchors, and executives at news-gathering organizations, with the main target being Al Jazeera.

The attacks used Pegasus spyware from NSO Group, specifically a vulnerability referred to as "Kismet." It is believed the vulnerability was an "invisible zero-click exploit in iMessage," and was a zero-day exploit against iOS 13.5.1 and possibly other releases.

Logs of compromised iPhones gathered by Citizen Lab indicate a number of NSO Group customers also used the same exploit between October and December 2019, suggesting it is one that wasn't detected or fixed for a considerable length of time.

The group were attacked by four Pegasus operators, including one known as "Monarchy" that was attributed to Saudi Arabia, while "Sneaky Kestrel" was thought to have performed attacks on behalf of the UAE.

It is likely that the operators were connected to the crown princes of the two countries, as a lawsuit from one Al Jazeera anchor blamed the pair for hacking her iPhone, and disseminating doctored photographs of the victim.

Once attacked, a target's iPhone would start to upload large amounts of data, sometimes totaling hundreds of megabytes, without the user's knowledge. It is thought the data that was being transferred included ambient audio recorded by the microphone, the content of encrypted phone calls, photographs taken by the camera, the device's location, and potentially any stored passwords or account credentials.

A statement from Apple seen by The Guardian calls the attacks "highly targeted by nation-states" against individuals. "We always urge customers to download the latest version of the software to protect themselves and their data," Apple added, though also advising it couldn't independently verify the analysis of Citizen Lab.

It seems that the attack vector doesn't work for iPhones updated to run iOS 14 or later, which may mean devices using the operating system are currently safe.