Journalists Fall Victim to Zero-Day Vulnerability in iMessage

According to a report by ZDNet, over 36 journalists, anchors, executives, and producers for Al Jazeera have been found to be the latest victims of a zero-day vulnerability on iOS that requires zero user interaction.

The news was broken by Citizen Lab — a research group out of the University of Toronto focusing on cyber-security and human rights abuse.

The same research group also named a journalist for London’s Al Araby TV as another victim of this exploit, which uses a zero-day vulnerability within the iMessage app to gain access to a victim’s iPhone.

Citizen Lab has identified this zero-day vulnerability as being part of an exploit chain named Kismet that was developed by veteran spyware manufacturer NSO Group and sold (of yes, they are worth quite a lot) to a total of four buyers, two of whom trace back to Saudi Arabia and the United Arab Emirates respectively.

Al Jazeera is a global news network based out of Qatar, and straining relationships between Qatar and its neighbours have been floated as possible motivators for the attack.

The team at Citizen Lab discovered that the vulnerability was being used to hack into the iPhones of Al Jazeera employees all over the world as far back as October 2019.

At the time, the zero-day exploit could be used to gain access to iPhones running iOS 13.5.1. However, Apple patched the vulnerability with iOS 14.

NSO Group has (predictably) denied any involvement in the matter, with a spokesperson for the company labeling the Citizen Lab’s report as “speculation” with no real evidence “supporting a connection to NSO” on December 20.

Apple, on the other hand, has been made aware of the findings and has already launched an investigation into them.