Exclusive iPhone bugs exploited by Israeli second source spy sources Reuters

By Christopher Bing and Raphael Satter

WASHINGTON (Reuters) – In 2021, a software bug by Apple (NASDAQ:), which was exploited by the Israeli surveillance company NSO Group to access iPhones, was also abused by a competing company, according to five people familiar with the matter.

QuaDream, sources say, is a smaller, smaller Israeli company that develops phone hacking tools for government customers.

The two business rivals achieved the same ability last year to remotely access iPhones, according to five sources, meaning that both companies could put Apple phones at risk without an owner having to open a malicious link. The fact that both companies use the same sophisticated hacking technique – known as “zero-click” – shows that their phones are weaker than powerful digital espionage tools than the industry will accept, an expert said.

“People want to believe that they are safe, and phone companies want to make you believe that they are safe. What we’ve learned is that they’re not safe,” said Dave Aitel, a partner in a cybersecurity company at Cordyceps Systems.

Experts investigating intrusions by NSO Group and QuaDream last year believe the two companies used very similar software exploits, known as ForcedEntry, to hijack iPhones.

An exploitation is a computer code designed to take advantage of a set of specific software vulnerabilities, giving a hacker unauthorized access to data.

Analysts believed that the exploitation of NSO and QuaDream was similar in that they took advantage of many of the vulnerabilities hidden within Apple’s instant messaging platform and used a similar way to plant malicious software on target devices, according to three sources.

Bill Marczak, a security researcher at Citizen Lab who has been investigating the hacking tools of two companies, said that QuaDream’s ability to zero click was unmatched by the NSO.

Reuters repeatedly tried to solicit comments from QuaDream by sending messages to executives and business partners. A Reuters reporter visited QuaDream’s office in Tel Aviv’s Ramat Gan district last week, but no one answered the door. Israeli lawyer Vibeke Dank, whose email appeared on QuaDream’s corporate registration form, also did not return the message repeatedly.

An Apple spokesman declined to comment on QuaDream or any action they wanted to take about the company.

ForcedEntry is seen as “one of the most technically sophisticated” security researchers have ever achieved.

So similar were the two versions of ForcedEntry that when Apple fixed the underlying bugs in September 2021, the NSO and QuaDream spy software was ineffective, according to two people who knew the subject.

In a statement, an NSO spokesman said the company “did not cooperate” with QuaDream, but that “the cyber-intelligence industry continues to grow rapidly around the world.”

Apple sued the NSO Group over ForcedEntry in November, alleging that the NSO had violated Apple’s terms of service and service agreements. The case is still in its infancy.

In its lawsuit, Apple said it “is constantly and successfully turning away from various hacking attempts.” The NSO has denied any wrongdoing.

Spyware companies have long argued that they sell high-powered technology to help governments thwart national security threats. But human rights groups and journalists have repeatedly documented the use of spyware to attack civil society, weaken political opposition, and obstruct elections.

Apple announced thousands of goals for ForedEntry in November, and noted that they have been targeted by elected officials, journalists and human rights workers around the world.

In Uganda, for example, the NSO’s ForcedEntry was used to spy on U.S. diplomats, Reuters reported.

In addition to the Apple lawsuit, Meta’s WhatsApp is also being sued for alleged abuse of its platform. In November, the US Department of Commerce was blacklisted by the U.S. Department of Commerce for human rights concerns.

Unlike the NSO, QuaDream has maintained a lower profile despite serving some of the same government clients. The company does not have a website that shows its business and employees have been told to keep any references about the company off social media, according to a person who knows the company.

KINGDOM

QuaDream was founded in 2016 by Ilan Dabelstein, a former Israeli military officer, and Guy Geva and Nimrod Reznik, two former NSO employees, according to Israeli company records and two people who know the business. Reuters was unable to reach out to the three directors for comment.

Similar to NSO’s Pegasus spyware, QuaDream’s flagship product – called REIGN – can take control of a smartphone by receiving instant messages from services like WhatsApp, Telegram and Signal, as well as emails, photos, text and contacts, according to the product’s two brochures. Reuters reviewed 2019 and 2020.

REIGN’s “Premium Collection” capabilities include “real-time call recordings”, “camera activation – front and rear” and “microphone activation” in a booklet.

Prices varied. According to the 2019 brochure, a QuaDream system that would give customers the ability to launch a breakdown of 50 smartphones a year was offered for $ 2.2 million, excluding maintenance costs. Two people who are familiar with software sales said the price of REIGN was usually higher.

Over the years, QuaDream and the NSO Group have employed some of the same engineering talents, according to three friends who know the subject. Two of these sources said that the company did not collaborate on their iPhone hacks, they invented their own ways to take advantage of the weaknesses.

Several QuaDream buyers have also clashed with the NSO, four sources said, including Saudi Arabia and Mexico – both of whom have been accused of misusing spyware by political opponents.

One of QuaDream’s first customers was the Singapore government, two sources said, and documentation from Reuters shows that the company’s surveillance technology was also introduced to the Indonesian government. Reuters was unable to determine whether Indonesia had become a customer.

Officials in Mexico, Singapore, Indonesia and Saudi Arabia did not return any messages requesting comments on QuaDream.