The biggest hack in iPhone history is now public knowledge with reports of the horrific attacks it made on individuals. And now — for the first time — we know it was not alone.
A shocking new report from Reuters has revealed a secretive company called QuaDream which has been hacking iPhones for more than five years, granting access to users’ microphones, cameras (front and back) and monitoring calls in real time.
Reuters says that QuaDream’s flagship product was called ‘REIGN’ and the company sold its hacks to the highest bidder. REIGN could take remote control of any iPhone without the users’ knowledge. It would then access emails, photos, texts, contacts and instant messages — even from end-to-end encrypted services like WhatsApp, Telegram and Signal.
The discovery mimics that of Israeli cyberarms firm NSO Group and its ‘Pegasus’ software, which had been successfully hacking iPhones since 2016 until it was exposed last year in news that sent shockwaves around the world.
Both NSO and QuaDream are believed to have employed similar hacking methods (known as ForcedEntry) and both were ‘zero click’ hacks. This means they work without the user needing to click a URL, usually sent via an unsolicited SMS or email, something users are increasingly educated about. In short, if targeted, there was no way to avoid either hack.
Despite their similarities, Reuters reports that NSO and QuaDream did not collaborate instead “coming up with their own ways to take advantage of [iPhone] vulnerabilities.” This is an eye-opening revelation, which raises questions over how many other companies may also have been operating similar hacks and staying out of the limelight. Something QuaDream did better than NSO.
“Unlike NSO, QuaDream has kept a lower profile,” reports Reuters. “The company has no website touting its business and employees have been told to keep any reference to their employer off social media, according to a person familiar with the company.”
Because REIGN uses an exploit method similar to Pegasus, it is believed the attack was nullified by a security patch Apple released in iOS 14.8. Despite this, Reuters reports that an Apple spokesman declined to comment on QuaDream and would not say what (if any) action it plans to take.
Speaking to Reuters, Dave Aitel of cybersecurity firm Cordyceps Systems issued a stark warning: “People want to believe they’re secure, and phone companies want you to believe they’re secure. What we’ve learned is, they’re not.”