New iPhone vulnerabilities exposed, is Apple's future truly secure?

The Million Dollar Dissident

In general, isn't going to be always more valuable for the giant tech cos to offer the highest bug bounties around? Why not offer millions?

— Farhad Manjoo (@fmanjoo) August 25, 2016

In early August, Ahmed Mansoor, an Emirati human rights activist, got a text message "promising new secrets about detainees tortured in UAE jails if he clicked on an included link". The quick thinking Mansoor realised this might be some sort of bug, scam or wrongly sent SMS. He immediately forwarded it to Citizen Lab researchers.

Fortunately for him, it saved him many months of trouble. Had he clicked the link, his phone would have been infested with malware. This malware was capable of "logging encrypted messages, activating the microphone and secretly tracking its movements". Citizen Lab and Lookout Security detailed all of this and more in a report titled "The Million Dollar Dissident: NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender" that was released on 24 August.

The report states that the investigation led to the links leading to " led to a chain of zero-day exploits" and these could remotely jailbreak Mansoor's stock iPhone 6 and installed spyware.

"We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find," the report states.

What does any of this mean?

The exploit exposed by Mansoor targets three previously unknown vulnerabilities - allowing for arbitrary code execution, access to kernel memory, and access to kernel privileges - that combine to allow for a remote jailbreak. This is a "chain of heretofore unknown exploits used to remotely circumvent iPhone security measures".

Citizen Lab and Lookout reported these findings to Apple and the vulnerability has been fixed, ten days later, in the latest iOS 9.3.5. If you're an iPhone user and haven't updated your phone in the last 2 weeks, now is a good time to do that. We'll wait...

The links were traced to an exploit infrastructure that was in turn connected to a NSO Group. That group is an Israel-baed cyber-war company that "sells Pegasus, a government-exclusive 'lawful intercept' spyware product". Some of the groups executives have boasted that their spyware worked like a "ghost". Yes, national security-grade hacking tools were being targeted at everyday iPhone users.

"Based on the price of the attack kit-about $8 million for 300 licenses-the researchers believe it's being actively used against other iPhone users throughout the world," writes Dan Goodin in Ars Technica. That's pretty worrying.

How they cracked the code

Working late into the night, the researchers realised they'd seen the websites before. The sites were used to dupe the victims into downloading malicious software that lets the hackers take control of their phone. The researchers downloaded the spyware onto a dummy iPhone. From then on, they monitored all the data that was sent and received by connecting it to the internet through another computer.

"After about ten seconds of navigating to the URL, which displayed a blank page, the Safari window closed, and we observed no further visual activity on the iPhone's screen. Meanwhile, we saw that the phone was served what appeared to be a Safari exploit, followed by intermediate files (final111), and a final payload (test111.tar). The first two payloads form the Trident exploit chain, and test111.tar is the payload" the report stated. The malware was only about 2.5 mb compressed and about 5mb uncompressed.

A hack that's been in play for years

This isn't something new. It may have been pointed out now, but it has definitely been going on for a while.

An analysis of the code reveals that this has been going on since iOS 7 was in use back in 2013. Other than Mansoor, the exploit targets high-value people for purposes of corporate espionage. NSO Group, is an Israeli-based division of US-headquartered company Francisco Partners Management. Francisco Partners Management had paid $120 million in 2014 for a majority stake in NSO. NSO group is so secretive that it keeps changing its name. According to Reuters, the group had earnings of about $75 million.

This is also not the first time Mansoor has been targeted. In fact, it isn't even the second. It's the third time he's been targeted by "legal intercept" software. In 2011, he was targeted by exploit software known as FinFisher. A year later, it was by Italy-based Hacking Team.

Furthermore, the exploit was used against a Mexican journalist after he reported on corruption by his countries head of state. "NSO Group has used fake domains that impersonate the Red Cross, the UK government's visa application processing website, news organisations, and major technology companies," reports Ars Technica.

The software has not just been deployed against terrorists and similar people but also against those citizens acting against a government's interests.

Citizen Labs aptly sums it up:

"Citizen Lab and others have repeatedly demonstrated that advanced "lawful intercept" spyware enables some governments and agencies, especially those operating without strong oversight, to target and harass journalists, activists and human rights workers. If spyware companies are unwilling to recognize the role that their products play in undermining human rights, or address these urgent concerns, they will continue to strengthen the case for further intervention by governments and other stakeholders."

It's safe to say that if you haven't updated your phone yet, you definitely should.