Cyber Arms Dealer Caught Using Three iOS Zero-Day Flaws to Spy on Dissidents


Apple has released a security update to iOS today, responding to three previously unknown zero-day exploits. These vulnerabilities were exploited by an Israeli outfit NSO Group that sells "cyber arms" to governments. In this case, the million dollar exploits were used to target a prominent human rights activist in the United Arab Emirates.

Ahmed Mansoor, a human rights activist from the UAE has long been a victim of government hackers. From FinFisher's highly sophisticated spyware products to Hacking Team's Remote Control System, Mansoor has become the face of cyber espionage victims. In the latest of such surveillance attempts, on August 10 Mansoor received a text message that claimed to share "new secrets" about detainees tortured in the UAE jails. This message was then followed by a link.

Since he has already had experience with government hackers, instead of clicking on the link, Mansoor sent the message to researchers at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. The link was later discovered to be a sophisticated piece of spyware that exploited three unknown zero day vulnerabilities in iOS. These exploits would have allowed hackers to get full control of Mansoor's iPhone, including his phone's camera and microphone. Researchers said that NSO Group's software can read text messages and emails, track calls and contacts, record sounds, and trace the location of the user.

Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.

Apple fixes three zero-day flaws worth one million dollars

Investigators reported that this is the first time anyone has uncovered an attack that has leveraged three unknown zero-days in the iPhone. Calling the attack Trident, researchers from the Citizen Lab and mobile security company Lookout said that the attack was one of the most sophisticated pieces of cyberespionage software ever seen. Using iOS vulnerabilities, Trident had the ability to remote jailbreak Mansoor's iPhone 6, installing spyware on his phone.

The Trident Exploit Chain:

CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution

CVE-2016-4655: An application may be able to disclose kernel memory

CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges

The research on the attack led the team to NSO Group's Pegasus spyware, which is sold exclusively to government agencies making it a "legal spyware suite," hinting that this attack was also designed for a government agency. NSO Group is an Israel-based organization that was acquired by U.S. company Francisco Partners Management in 2010. According to reports, NSO specializes in "cyber war" and is basically a cyber arms dealer.

After the researchers alerted Apple of these exploits, the company immediately worked to fix them and the patch has been released today with iOS 9.3.5. Apple often sends regular maintenance and security updates to its iOS mobile operating system. However, today's release of iOS 9.3.5 is a highly recommended update as it fixes three zero-day vulnerabilities - said to be worth as much as one million dollars!

iPhone or iOS, nothing is secure when it comes to the money and technology that governments have access to. Today's report only confirms that. "The people that we see being targeted by these texts today - dissidents, activists - these are kind of the people on the frontlines of what is to come for all of us tomorrow, these guys are sort of the canaries in the coal mine," Citizen Lab's Bill Marczak said.