Powerful iPhone hack targets dozens of journalists, report says

State-backed attackers reportedly used spyware from NSO Group to hack iPhones belonging to Al Jazeera journalists.

Laura Hautala
Carrie Mihalcik Laura Hautala
Carrie Mihalcik Senior Editor / News
Carrie is a Senior Editor at CNET focused on breaking and trending news. She's been reporting and editing for more than a decade, including at the National Journal and CurrentTV.
Expertise Breaking News, Technology Credentials Carrie has lived on both coasts and can definitively say that Chesapeake Bay blue crabs are the best.
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials 2022 Eddie Award for a single article in consumer technology
2 min read
Angela Lang/CNET

Dozens of Al Jazeera journalists had their iPhones  hacked this summer by state-backed attackers who targeted a flaw in iMessages, according to a report published Sunday by The Citizen Lab. The phones were reportedly hacked using advanced spyware from Israeli company NSO Group. The targets could be hacked without having to click on a malicious link from their devices.

Citizen Lab, an academic research lab based at the University of Toronto, said the phones were compromised using an "invisible zero-click exploit in iMessage" that was present in at least iOS 13.5.1. The group said it worked with Al Jazeera and found a total of 36 personal iPhones were hacked, including those belonging to anchors and executives. 

The journalists were hacked by four operators using spyware from NSO Group, according to Citizen Lab, which concluded with "medium confidence" that two attackers were working on behalf of the Saudi Arabian and UAE governments. NSO Group is an Israel-based firm that makes hacking tools for government clients, and is part of a larger industry that creates helps government entities access its targets' phones, computers and other devices. The hacking tools are supposed to help law enforcement and counter-terrorism efforts, but critics say the industry as a whole is prone to helping authoritarian governments hack the devices of dissidents and journalists.

NSO Group has been implicated by previous reports and lawsuits in other hacks, including a reported hack of Amazon CEO Jeff Bezos. A Saudi dissident sued the company in 2018 for its alleged role in hacking a device belonging to journalist Jamal Khashoggi, who had been murdered inside the Saudi embassy in Turkey that year. Journalists and activists from Mexico and Qatar have also sued the company for providing tools that hacked their devices. A Citizen Lab report from January said a New York Times journalist writing about a Saudi dissident received a link containing a NSO Group hacking tool on his phone in 2018.

NSO Group pushed back on the most recent Citizen Lab report in a statement on Monday, saying the group made assumptions to support its own agenda. 

"This memo is based, once again, on speculation and lacks any evidence supporting a connection to NSO," said an NSO spokesperson in an emailed statement. "NSO provides products that enable governmental law enforcement agencies to tackle serious organized crime and counterterrorism only, and as stated in the past we do not operate them."

The attack reportedly doesn't work against iOS 14, which was released in September and includes new security protections. Apple said it hasn't been able to independently verify Citizen Lab's research, but noted that attacks developed by NSO Group generally aren't targeted at average iPhone customers. 

"At Apple, our teams work tirelessly to strengthen the security of our users' data and devices. iOS 14 is a major leap forward in security and delivered new protections against these kinds of attacks," said an Apple spokesperson in an emailed statement. "The attack described in the research was highly targeted by nation-states against specific individuals."