By Christopher Bing and Raphael Satter
WASHINGTON (Reuters) – A flaw in Apple’s software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.
QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients.
The two rival businesses gained the same ability last year to remotely break into iPhones, according to the five sources, meaning that both firms could compromise Apple phones without an owner needing to open a malicious link. That two firms employed the same sophisticated hacking technique – known as a “zero-click” – shows that phones are more vulnerable to powerful digital spying tools than the industry will admit, one expert said.
“People want to believe they’re secure, and phone companies want you to believe they’re secure. What we’ve learned is, they’re not,” said Dave Aitel, a partner at Cordyceps Systems, a cybersecurity firm.
Experts analyzing intrusions engineered by NSO Group and QuaDream since last year believe the two companies used very similar software exploits, known as ForcedEntry, to hijack iPhones.
An exploit is computer code designed to leverage a set of specific software vulnerabilities, giving a hacker unauthorized access to data.
The analysts believed NSO and QuaDream’s exploits were similar because they leveraged many of the same vulnerabilities hidden deep inside Apple’s instant messaging platform and used a comparable approach to plant malicious software on targeted devices, according to three of the sources.
Bill Marczak, a security researcher with digital watchdog Citizen Lab who has been studying both companies’ hacking tools, told Reuters that QuaDream’s zero-click capability seemed “on par” with NSO’s.
Reuters made repeated attempts to reach QuaDream for comment, sending messages to executives and business partners. A Reuters journalist last week visited QuaDream’s office, in the Tel Aviv suburb of Ramat Gan, but no one answered the door. Israeli lawyer Vibeke Dank, whose email was listed on QuaDream’s corporate registration form, also did not return repeated messages.
An Apple spokesman declined to comment on QuaDream or say what if any action they planned to take with regard to the company.
ForcedEntry is viewed as “one of the most technically sophisticated exploits” ever captured by security researchers.
So similar were the two versions of ForcedEntry that when Apple fixed the underlying flaws in September 2021 it rendered both NSO and QuaDream’s spy software ineffective, according to two people familiar with the matter.
In a written statement, an NSO spokeswoman said the company “did not cooperate” with QuaDream but that “the cyber intelligence industry continues to grow rapidly globally.”
Apple sued NSO Group over ForcedEntry in November, claiming that NSO had violated Apple’s user terms and services agreement. The case is still in its early stages.
In its lawsuit, Apple said that it “continuously and successfully fends off a variety of hacking attempts.” NSO has denied any wrongdoing.
Spyware companies have long argued they sell high-powered technology to help governments thwart national security threats. But human rights groups and journalists have repeatedly documented the use of spyware to attack civil society, undermine political opposition, and interfere with elections.
Apple notified thousands of ForcedEntry targets in November, making elected officials, journalists, and human rights workers around the world realize they had been placed under surveillance.
In Uganda, for example, NSO’s ForcedEntry was used to spy on U.S. diplomats, Reuters reported .
In addition to the Apple lawsuit, Meta’s WhatsApp is also litigating over the alleged abuse of its platform. In November, NSO was put on a trade blacklist by the U.S. Commerce Department over human rights concerns.
Unlike NSO, QuaDream has kept a lower profile despite serving some of the same government clients. The company has no website touting its business and employees have been told to keep any reference to their employer off social media, according to a person familiar with the company.
QuaDream was founded in 2016 by Ilan Dabelstein, a former Israeli military official, and by two former NSO employees, Guy Geva and Nimrod Reznik, according to Israeli corporate records and two people familiar with the business. Reuters could not reach the three executives for comment.
Like NSO’s Pegasus spyware, QuaDream’s flagship product – called REIGN – could take control of a smartphone, scooping up instant messages from services such as WhatsApp, Telegram, and Signal, as well as emails, photos, texts and contacts, according to two product brochures from 2019 and 2020 which were reviewed by Reuters.
REIGN’s “Premium Collection” capabilities included the “real time call recordings”, “camera activation – front and back” and “microphone activation”, one brochure said.
Prices appeared to vary. One QuaDream system, which would have given customers the ability to launch 50 smartphone break-ins per year, was being offered for $2.2 million exclusive of maintenance costs, according to the 2019 brochure. Two people familiar with the software’s sales said the price for REIGN was typically higher.
Over the years, QuaDream and NSO Group employed some of the same engineering talent, according to three people familiar with the matter. Two of those sources said the companies did not collaborate on their iPhone hacks, coming up with their own ways to take advantage of vulnerabilities.
Several of QuaDream’s buyers have also overlapped with NSO’s, four of the sources said, including Saudi Arabia and Mexico – both of whom have been accused of misusing spy software to target political opponents.
One of QuaDream’s first clients was the Singaporean government, two of the sources said, and documentation reviewed by Reuters shows the company’s surveillance technology was pitched to the Indonesian government as well. Reuters couldn’t determine if Indonesia became a client.
Mexican, Singaporean, Indonesian and Saudi officials did not return messages seeking comment about QuaDream.
(Reporting by Christopher Bing and Raphael Satter in Washington. Joseph Menn in San Francisco, Nir Elias in Ramat Gan, Israel, Dan Williams in Jerusalem, and Michele Kambas in Nicosia, Cyprus contributed reporting. Editing by Chris Sanders and Edward Tobin)