Stories like this remind me that people in the Infosec community routinely make and sell exploits to these nations. https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/

I’m honestly curious how conscientious security researchers justify selling these tools, knowing how likely it is that they’ll be used for applications like this one.

One of the interesting things about this story is how difficult it must be to instrument iOS devices to catch these 0-click exploits in action. Partly because Apple makes it difficult.

iMessage payloads are encrypted and can be individually encrypted to specific devices. There’s no documentation of or support for open clients that can receive or monitor incoming iMessage data, without major jailbreaks and hacks.

So it looks like the best Citizenlab can do is install a VPN on likely target devices and look for weird outgoing connection patterns, plus check logs for kernel panics. It’s like looking for evidence dark matter based on its gravitational effect on things you can see.

The problem this time for NSO is that their infection process and exfiltration were visible in network logs. But they’re obviously going to get better at hiding this stuff in the future. Apple could really help make this easier for researchers.