Apple urged iPhone owners Thursday to update their devices after security researchers revealed how foreign hackers used previously unknown vulnerabilities to target a well-known human rights activist.
The update to Apple’s mobile operating system, iOS 9.3.5, fixes three significant security flaws that, when correctly leveraged together, allow an attacker to access and intercept all data going in and out of a targeted device.
Apple learned of the iPhone bugs only days earlier upon being contacted by researchers from the University of Toronto’s Citizen Lab and Lookout, a San Francisco-based mobile security firm. Citizen Lab became aware of the vulnerabilities earlier that week after being approached by Ahmed Mansoor, a 46-year-old human rights activist from the United Arab Emirates who has been targeted by government hackers twice before.
On August 10 and 11, Mr. Mansoor received text messages on his iPhone instructing him to click a web link containing details about “New secrets about torture of Emiratis in state prisons.” He forwarded the messages to Citizen Lab, who in turn identified the link as being hosted on the same domain believed to be used by an Israeli-based spyware company, NSO Group.
Citizen Lab clicked the link using a factory-reset iPhone 5 running the same operating system as the activist, then “watched as unknown software was remotely implanted on our phone,” the researchers said in a blog post Thursday. After contacting security experts with Lookout, together the researchers determined that Mr. Mansoor had been targeted using a series of previously undisclosed security vulnerabilities that aimed to turn his phone “into a digital spy in his pocket.”
“It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls. It also basically backdoors every communications mechanism you have on the phone,” Lookout’s vice president of research, Mike Murray, told Motherboard.
“It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram — you name it,” he added.
The researchers named the exploit chain “Trident,” and said its code contained references to “Pegasus,” spyware that Citizen Lab has previously attributed to the NSO Group. Mr. Murray described the recently discovered suite as “one of the most sophisticated pieces of cyberespionage software” his company has ever seen.
Citizen Lab called the discovery a “rare find,” and noted that a security firm last year paid one million dollars to acquire the means of exploiting iPhone vulnerabilities.
“The high cost of iPhone zero-days, the apparent use of NSO Group’s government-exclusive Pegasus product, and prior known targeting of Mansoor by the UAE government provide indicators that point to the UAE government as the likely operator behind the targeting,” Citizen Lab speculated.
Apple announced last month that it will be launching a “bug bounty” program to compensate researchers who identify these sorts of vulnerabilities, but the initiative doesn’t officially get off the ground until next month. The researchers who brought the latest vulnerabilities to Apple’s attention had planned to donate their award money to charity, Citizen Lab said through its Twitter account Thursday.
NSO Group did not return requests for comment when contacted by Motherboard prior to the publication of Thursday’s article. In 2014, the Wall Street Journal reported that the Israeli cyber firm had attempted to sell its spyware to agencies in both Mexico and the United States, though its actual list of clientele is not publicly known.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.