Flaws in Apple’s iOS operating system have been discovered that made it possible to install spyware on a target’s device merely by getting them to click on a link. The discovery was made after a human rights lawyer alerted security researchers to unsolicited text messages he had received.
They discovered three previously unknown flaws within Apple’s code. Apple has since released a software update that addresses the problem. The two security firms involved, Citizen Lab and Lookout, said they had held back details of the discovery until the fix had been issued.
The lawyer, Ahmed Mansoor, received the text messages on 10 and 11 August. The texts promised to reveal “secrets” about people allegedly being tortured in the United Arab Emirates (UAE)’s jails if he tapped the links. Had he done so, Citizen Lab says, his iPhone 6 would have been “jailbroken”, meaning unauthorised software could have been installed.
“Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements,” said Citizen Lab.
“We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find.” The researchers say they believe the spyware involved was created by NSO Group, an Israeli “cyber-war” company. “[It is] the most sophisticated spyware package we’ve seen,” said Lookout.
“It takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile – always connected (wi-fi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists.” NSO has issued a statement acknowledging that it makes technology used to “combat terror and crime” but said it had no knowledge of any particular incidents and made no reference to the specific spyware involved. “These are rather rare zero-day flaws,” commented security expert Prof Alan Woodward, referring to the technical name for previously unknown vulnerabilities.
“To have several found at once is even rarer. As can be seen from how these have been exploited to date, it represents a serious threat to the security and privacy of iOS users. “Apple has been remarkably responsive in providing fixes for these issues, so I would encourage any iOS users to update to the latest version of the operating system.”