Apple has patched three critical vulnerabilities in iOS that were identified when an attacker targeted a human rights activist in the UAE with an exploit chain that used the bugs to attempt to remotely jailbreak and infect his iPhone.
The vulnerabilities include two kernel flaws and one in WebKit and Apple released iOS 9.3.5 to fix them. The attack that set off the investigation into the vulnerabilities targeted Ahmed Mansoor, an activist living in the UAE. Earlier this month, he received a text message that included a link to what was supposedly new information on human rights abuses. Suspicious, Manor forwarded the link to researchers at the University of Toronto’s Citizen Lab, who recognized what they were looking at.
“On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based ‘cyber war’ company that sells Pegasus, a government-exclusive “lawful intercept” spyware product,” Citizen Lab said in a new report on the attack and iOS flaws.
“We recognized the links as belonging to an exploit infrastructure connected to NSO Group.”
“The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.”
Apple turned the patch around quickly, within two weeks. Two of the vulnerabilities can lead to arbitrary code execution, one with kernel privileges. The third bug can allow an app to disclose kernel memory. Lookout, a mobile security company that helped with the investigation, said the Trident exploit chain is a tailor-made for targeted attacks.
“Given the high price tag associated with these attacks — Zerodium paid $1 million for an iOS vulnerability last year — we believe this kind of software is very targeted, meaning the purchaser is likely to be both well-funded and specifically motivated. The going price for Pegasus was roughly $8 million for 300 licenses, so it’s not likely to be used against an average mobile device user, only targets that can be considered of high value,” Mike Murray of Lookout said.
Users should update their iPhones immediately to protect against attacks on these vulnerabilities.