A flaw in Apple’s software exploited by Israeli surveillance firm NSO Group to hack iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter. QuaDream, the sources said, is a smaller, low-profile Israeli company that also develops smartphone hacking tools aimed at government customers.
The two rival companies gained the same ability last year to remotely hack iPhone devices, according to the five sources, meaning both companies can compromise Apple phones without an owner needing to open a malicious link. The fact that two companies employ the same sophisticated hacking technique – known as “zero-click” – shows that phones are more vulnerable to powerful digital spying tools than the industry admits, one expert said.
“People want to believe they’re safe, and phone companies want you to believe they’re safe. What we’ve learned is that they’re not,” said Dave Aitel, a partner at Cordyceps Systems, a cybersecurity firm.
Experts who have analyzed hacks designed by the NSO Group and QuaDream since last year believe that the two companies used very similar software exploits, known as ForcedEntry, to hijack iPhones.
An exploit is computer code designed to leverage a set of specific software vulnerabilities, giving a hacker unauthorized access to data.
Analysts believed the NSO and QuaDream exploits were similar because they took advantage of many of the same vulnerabilities hidden deep within Apple’s instant messaging platform and used a comparable approach to deploying malicious software to targeted devices, according to three of the sources.
Bill Marczak, a security researcher at digital surveillance agency Citizen Lab who studies the hacking tools of both companies, told Reuters that QuaDream’s zero-click capability appeared “comparable” to NSO’s.
Reuters has made repeated attempts to contact QuaDream for comment, sending messages to executives and business partners. A Reuters journalist last week visited the QuaDream office in the Tel Aviv suburb of Ramat Gan, but no one answered the door. Israeli lawyer Vibeke Dank, whose email address was listed on QuaDream’s corporate registration form, also did not return repeated messages.
An Apple spokesperson declined to comment on QuaDream or say if there is any action they plan to take on the company.
ForcedEntry is seen as “one of the most technically sophisticated exploits” ever caught by security researchers.
The two versions of ForcedEntry were so similar that when Apple patched the underlying flaws in September 2021, it rendered the NSO and QuaDream spy software ineffective, according to two people familiar with the matter.
In a written statement, an NSO spokeswoman said the company “did not cooperate” with QuaDream, but that “the cyber intelligence industry continues to grow rapidly globally.”
Apple sued the NSO Group over ForcedEntry in November, alleging that the NSO had violated Apple’s User Terms and Services Agreement. The case is still in its early stages.
In its lawsuit, Apple said it “continuously and successfully defends a variety of hacking attempts.” The NSO denied any wrongdoing.
Spyware companies have long argued that they sell high-powered technology to help governments thwart national security threats. But human rights groups and journalists have repeatedly documented the use of spyware to attack civil society, undermine political opposition and interfere in elections.
Apple notified thousands of ForcedEntry targets in November, making elected officials, journalists and human rights advocates around the world realize they had been placed under surveillance.
In Uganda, for example, the NSO’s ForcedEntry was used to spy on American diplomats, Reuters reported.
In addition to Apple’s lawsuit, Meta’s WhatsApp is also litigating over the alleged abuse of its platform. In November, NSO was placed on a US Commerce Department trade blacklist on human rights grounds.
Unlike NSO, QuaDream has kept a lower profile, despite serving some of the same government customers. The company does not have a website advertising its business and employees have been instructed to keep any references to the employer off social media, according to a person familiar with the company.
REIGN
QuaDream was founded in 2016 by Ilan Dabelstein, a former Israeli military officer, and two former NSO employees, Guy Geva and Nimrod Reznik, according to Israeli corporate records and two people familiar with the business. Reuters was unable to contact the three executives for comment.
Like NSO’s Pegasus spyware, QuaDream’s flagship product – called REIGN – could take control of a smartphone, collecting instant messages from services like WhatsApp, Telegram and Signal, as well as emails, photos, texts and contacts, from according to two 2019 and 2020 product brochures that were reviewed by Reuters.
REIGN’s “Premium Collection” features included “real-time call recordings”, “camera activation – front and back” and “microphone activation”, a brochure said.
Prices seemed to vary. A QuaDream system, which would give customers the ability to launch 50 smartphone break-ins a year, was being offered for $2.2 million (approximately Rs. 16 crore) with no maintenance costs, according to the 2019 brochure. people familiar with the software’s sales said that REIGN’s price was typically higher.
Over the years, QuaDream and the NSO Group have employed some of the same engineering talent, according to three people familiar with the matter. Two of those sources said the companies didn’t collaborate on their iPhone hacks, creating their own ways to take advantage of the vulnerabilities.
Several of QuaDream’s buyers also overlapped with NSOs, four of the sources said, including Saudi Arabia and Mexico — both of whom are accused of using spy software to attack political opponents.
One of QuaDream’s first customers was the government of Singapore, two of the sources said, and documentation reviewed by Reuters shows that the company’s surveillance technology was also released to the Indonesian government. Reuters was unable to determine whether Indonesia became a customer.
Mexican, Singaporean, Indonesian and Saudi officials did not return messages seeking comment on QuaDream.
© Thomson Reuters 2021