According to five people familiar with the situation, an Apple software defect identified by Israeli spy firm NSO Group to sneak into iPhones in 2021 was also exploited by a competitor.
QuaDream is a smaller and less well-known Israeli company that also creates smartphone hacking tools for government clients.
The two rival businesses achieved the same ability to remotely break into iPhones last year, implying that neither firm could compromise Apple phones without the owner opening a malicious link. One expert believes that the fact that two companies used the same sophisticated hacking technique – known as a “zero-click” – demonstrates that phones are more vulnerable to powerful digital espionage capabilities than the industry will disclose.
“People like to believe that they are safe, and phone companies want you to believe that you are safe. You aren’t, as we’ve discovered “said Dave Aitel, a partner at cybersecurity firm Cordyceps Systems.
Experts who have been studying NSO Group and QuaDream intrusions since last year think the two organizations utilized forced entry software exploits to steal iPhones.
An exploit is a piece of computer code that takes advantage of a set of unique software flaws to provide a hacker unauthorized access to data.
According to three of the sources, the experts thought NSO and QuaDream’s attacks were similar since they exploited many of the same vulnerabilities deep within Apple’s instant messaging systems and utilized a similar approach to install malicious software on targeted devices.
QuaDream’s zero-click capacity appeared “on par” with NSO’s, according to Bill Marczak, a security researcher with digital watchdog Citizen Lab who has been investigating both companies’ hacking tools.
Reporters attempted to contact QuaDream for comment on many occasions, sending messages to executives and business partners. QuaDream’s office in the Tel Aviv suburb of Ramat Gan was visited by journalists last week, but no one answered the door. Vibeke Dank, an Israeli lawyer whose email address was included on QuaDream’s corporation registration form, did not respond to repeated queries.
An Apple representative declined to comment on QuaDream or indicate what, if any, action the business might face.
Forced entry is considered by security researchers to be “one of the most technically complex exploits” ever discovered.
According to two people familiar with the situation, the two versions of forced entry were so identical that when Apple addressed the underlying problems in September 2021, it rendered both NSO and QuaDream’s espionage software worthless.
An NSO representative stated the organization “did not cooperate” with QuaDream in a written statement, but that “the cyber intelligence market continues to grow fast globally.”
In November, Apple filed a lawsuit against NSO Group, alleging that it had broken Apple’s user terms and services agreement with forced entry. The investigation is still ongoing.
Apple claims that it “continuously and successfully fends off a variety of hacking efforts” in its lawsuit. The National Security Organization (NSO) has denied any misconduct.
Spyware firms have long claimed that they sell high-powered technologies to assist governments in combating national security threats. Human rights organizations and journalists, on the other hand, have documented the use of spyware to attack civil society, discredit political opposition, and sabotage elections on numerous occasions.
In November, Apple contacted tens of thousands of forced entry targets throughout the world, alerting elected officials, journalists, and human rights activists that they had been placed under surveillance.
According to reporters, NSO’s forced entry was used to eavesdrop on US officials in Uganda.
In addition to the Apple case, Meta’s WhatsApp is involved in a legal battle over suspected platform abuse. The US Commerce Department placed NSO on a trade blacklist in November because of human rights concerns.
Despite serving some of the same federal clients as NSO, QuaDream has kept a low profile. According to a source close to the organization, there is no website promoting its services, and staff has been warned not to mention their employer on social media.
REIGN
According to Israeli company records and two persons acquainted with the business, QuaDream was created in 2016 by Ilan Dabelstein, a former Israeli military official, and two former NSO personnel, Guy Geva and Nimrod Reznik. The three executives could not be reached for comment by reporters.
According to two product brochures reviewed from 2019 and 2020, QuaDream’s flagship product, called REIGN, could take control of a smartphone, scooping up instant messages from services like WhatsApp, Telegram, and Signal, as well as emails, photos, texts, and contacts, similar to NSO’s Pegasus spyware.
According to one brochure, REIGN’s “Premium Collection” capabilities included “real-time call records,” “camera activation – front and back,” and “microphone activation.”
Prices looked to be different. According to the 2019 brochure, one QuaDream system, which would have given consumers the power to launch 50 smartphone break-ins per year, was being offered for $2.2 million, exclusive of maintenance charges. REIGN is often more expensive, according to two people familiar with the software’s sales.
According to three persons familiar with the situation, QuaDream and NSO Group used some of the same engineering personnel throughout the years. According to two of those insiders, the corporations did not coordinate on their iPhone hacks, instead of devising their own methods to exploit flaws.
According to four sources, several of QuaDream’s buyers overlapped with NSOs, including Saudi Arabia and Mexico, both of which have been accused of exploiting espionage software to target political opponents.
Two of the people claimed the Singaporean government was one of QuaDream’s initial clients, and documents reviewed by reporters suggest the company’s surveillance technology was also marketed to the Indonesian government. Reporters were unable to determine whether Indonesia had become a client.
Officials from Mexico, Singapore, Indonesia, and Saudi Arabia did not respond to inquiries requesting comments on QuaDream.
