Exploits patched by Apple today hint at years of surreptitious government hacks

You’ll want to be updating your iOS devices to 9.3.5, the version released today by Apple — especially if you’re a prominent human rights activist. A recently thwarted attack on just such a person employed not one but three zero-day exploits addressed by the patch. The subsequent investigation suggests these were the work of a shadowy cybersecurity company whose software may have been used for years by governments looking to compromise political targets.

Ahmed Mansoor (pictured above), an award-winning activist based in the UAE, received some suspicious text messages two weeks ago promising information on detainees being tortured — but Mansoor, who has been targeted multiple times in the past by high-profile “lawful intercept” tools, decided instead to send the text to Canadian security research organization Citizen Lab.

The texts sent to Mansoor.

The texts sent to Mansoor.

Assisted by Lookout Security, Citizen Lab went down the rabbit hole, and found it much deeper than expected.

The text messages were a trap, of course, but one of unprecedented complexity. That single link would have leveraged three separate and highly serious exploits in iOS — executing arbitrary code through WebKit, gaining access to the kernel, and then executing code within the kernel. It’s rare enough to find a zero-day in the wild, let alone three at once.

The result would have been a one-step jailbreak with malicious code injected under the hood — granting complete access to all the phone’s data and communications. This triple threat of exploits building on one another gained the appropriate moniker “Trident.”

Taken from Hacking Team's leaked emails, an illustration showing the reach Pegasus would have once installed.

Taken from Hacking Team’s leaked emails, an illustration showing the reach Pegasus would have once installed.

These exploits were immediately sent to Apple, which ten days later — today — issued a patch fixing them. Apple declined to comment beyond the following statement: “We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits.”

Worth noting is the fact that there were references in the code to iOS versions going as far back as 7 — so either the exploits have been around that long or they’re simply effective that broadly.

After breaching with Trident, the malware that would have lingered on the device was immediately recognized by the researchers as Pegasus, a piece of commercial spyware software sold by Israel-based cybersecurity company NSO Group. This was the first time it had been caught in the wild. (Perhaps the team working on it should have been called Bellerophon.)

Pegasus was one of the tools that Hacking Team apparently used — and later, inadvertently publicized when its emails were leaked. NSO also showed up when, retrospectively, Citizen Lab’s investigation found traces of the company’s work in a separate threat being tracked in the UAE known as Stealth Falcon. Lastly, the NSO signature was also on malware that had targeted Mexican journalist Rafael Cabrera; he had been working on a story that potentially discredited the country’s president.

NSO is reportedly owned or at least invested in by San Francisco equity firm Francisco Partners, which did not respond to requests for more information.

Pegasus and NSO, then, have been lurking in the wings for quite a long time, and while the evidence is certainly circumstantial, it suggests that the company has long been providing governments with highly sophisticated intrusion software. And, predictably, this software has not been deployed only (or perhaps at all) against the likes of terrorists and spies, but against citizens acting against the government’s interests.

Citizen Labs sums it up well in their conclusion:

Citizen Lab and others have repeatedly demonstrated that advanced “lawful intercept” spyware enables some governments and agencies, especially those operating without strong oversight, to target and harass journalists, activists and human rights workers. If spyware companies are unwilling to recognize the role that their products play in undermining human rights, or address these urgent concerns, they will continue to strengthen the case for further intervention by governments and other stakeholders.

Be careful out there, and keep your phone updated. The global internet is a dangerous place.