A botched hack attempt using “sophisticated spyware package” allegedly tailored by an Israeli group on the iPhone of an Arab activist has triggered Apple to issue an “important” security update for its mobile operating system, iOS.
The attackers tried to lure Ahmed Mansoor, a United Arab Emirates (UAE)-based human rights activist, with text messages embedding a suspicious link to “secrets” about detainees tortured in Arab jails.
Not a stranger to his government’s crackdown, from imprisonment and travel bans to spying, Mansoor did not take the bait, but instead sent it to the Canada-based security lab.
“It was a wise move,” Citizen Lab said in a release. “Mansoor’s unfortunate experiences are the gift that won’t stop giving.”
Citizen Lab partnered with a team of security researchers from Lookout to look into what indeed appeared to be yet another attack on Mansoor’s digital communications. They believe it was UAE security agencies that attempted to bug Mansoor’s iPhone.
The two teams found that the perpetrators targeted three critical iOS zero-day vulnerabilities, which they dubbed “Trident.” Whoever was behind the order might have paid “hundreds of thousands of dollars” for each of the three zero-day exploits, Citizen Lab said, noting Apple’s “widely renowned” security that even the FBI could not crack without help.
“Trident is used in a spyware product called Pegasus, which according to an investigation by Citizen Lab, is developed by an organization called NSO Group,” researches from Lookout said. “Pegasus is highly advanced in its use of zero-days, obfuscation, encryption, and kernel-level exploitation.”
If Mansoor clicked on that link with “secrets,” his iPhone would have been turned into a “sophisticated bugging device,” and UAE security agencies would be able to turn on his iPhone’s camera and microphone, record his and everything surrounding Mansoor.
“They would have been able to log his emails and calls — even those that are encrypted end-to-end. And, of course, they would have been able to track his precise whereabouts,” Citizen Lab said.
The developer behind what the Lookout team called “the most sophisticated attack we’ve seen on any endpoint” is believed to be an Israeli-based, US-owned NSO Group that speaks of itself as a “cyber war” company.
It is known to have participated in a similar attack on a Mexican journalist, who reported on corruption by Mexico’s head of state and an unknown target or targets in Kenya.
According to the Associated Press, the NSO Group issued a statement that “stopped short of acknowledging that the spyware was its own", saying that its mission was to provide "authorized governments with technology that helps them combat terror and crime.”
Citizen Lab and Lookout contacted Apple to inform it about the vulnerabilities in its iOS. Apple responded immediately and issued a public release of the iOS 9.3.5 patch on Thursday.
“All individuals should update to the latest version of iOS immediately,” the Lookout team said.