More surveillance, spyware makers could be exploiting zero-click iPhone flaws as NSO’s Pegasus

Earlier today, a Reuters report claimed that QuaDream, a small Israeli firm, also built spyware and targeted surveillance tools for iPhones that were sold for $2.2 million for hacking 50 phones in one year. Interestingly, the tool that this barely-known company built – called Reign – were also based on the same software exploit that the Israeli NSO Group’s notorious spyware, Pegasus, used.

QuaDream is reported to have largely operated in shadows and in a lower profile, even as it allegedly served a very similar clientele as the NSO Group. The firm was set-up by two ex-NSO Group employees, and an ex-member of the Israeli military.

According to sources that Reuters spoke to, QuaDream’s Reign offers similar services as NSO’s Pegasus, and deployed an iOS vulnerability that was reported by The Citizen Lab of the University of Toronto, Canada. Called ‘ForcedEntry’, this vulnerability used flaws in Apple’s messaging tool – iMessage – to hack into any intended iOS smartphone without requiring any user action.

Such hacks are among the most sophisticated in the world today, and are commonly referred to as ‘zero-click’ hacks – meaning that they do not need any clicks to be made by a user to fall prey to it.

Once it gains access, such tools can accelerate their privilege of accessing information within a device. It is this that the NSO Group has been alleged to have exploited with Pegasus, which it has also reportedly sold to governments around the world to fulfil their technology-driven surveillance requirements.

With QuaDream coming to light, it appears that NSO was far from the only firm that may have exploited the vulnerabilities brought forth by ForcedEntry. The latter, in turn, is also not the only exploit of its kind.

To be sure, a September 2021 report by The Citizen Lab highlights previous zero-click exploits that the NSO Group itself has exploited, and what they represent for the future of tech-driven surveillance serving governments around the world. “Selling technology to governments that will use the technology recklessly in violation of international human rights law ultimately facilitates discovery of the spyware by investigatory watchdog organisations,” the report added.