Written as editor of the New Statesman’s NS Tech and first published here.
Apple’s issued a major patch to iOS 9 after a human rights activist reported a strange text message that was found to contain three zero-days vulnerabilities.
Long thought to be more secure than desktop computers, this smartphone attack would have enabled hackers to see inside the user’s device, including tracking his movements, recording phone calls and logging messages.
An experienced avoider of state surveillance, Ahmed Mansoor didn’t click the link, but sent it on to Citizen Lab at the University of Toronto, who worked with security firm Lookout to test the software.
“The implant installed by the [now nicknamed] Trident exploit chain would have turned Mansoor’s iPhone into a digital spy in his pocket,” the researchers said.
“We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find.”
The problem was reported to Apple and a new version of iOS 9 was delivered within 10 days. Updating to the latest version means the attack will no longer work, but of course doesn’t protect people from new, future exploits.
Interestingly, the researchers not only explain that all of the three tools used in the attack were from “lawful intercept” spyware companies, but that the trail is thought to lead back to a US venture capital-owned business, NSO Group.
Citizen Lab believes that Israeli firm NSO Group builds software that is specifically designed and sold to government agencies. Attacks of this level of sophistication could be worth millions to those wishing to target journalists, human rights campaigners and other interesting parties.
“That the companies whose spyware was used to target Mansoor are all owned and operated from democracies speaks volumes about the lack of accountability and effective regulation in the cross-border commercial spyware trade,” the team added.
Speaking last week about a similar set of software hacks believed to belong to the NSA, former US Defense Intelligence Agency officer Michael Tanji issued a harsh reality check:
“If there is a potentially dangerous side-effect to the discovery of a set of 0-days allegedly belonging to the NSA it is the dissemination of the idea, and credulous belief of same, that intelligence agencies should place the security of the Internet – and commercial concerns that use it – above their actual missions…
“The idea that someone, somewhere, working for someone else’s intelligence agency might not also be doing vulnerability research, uncovering exploitable conditions in popular networking products, and using same in the furtherance of their national security goals is a special kind of hubris.”
Yes, the battle is truly on, between security researchers and commercial companies working on behalf of their users (and their brand reputations), and state actors and non-state actors who give no s**** about your digital identity.
Individual citizens, relying on the kindness of strangers to notice, test and then responsibly disclose new threats to the relevant company, before it’s too late, gives us real vulnerability in the vulnerability exploitation business.