An extraordinary report co-authored by Bahrain Watch member Bill Marczak and his colleague at Citizen Lab, John Scott-Railton, has revealed a rare zero-day security vulnerability in the iPhone that can be exploited to remotely jailbreak an iPhone and install complex spyware, turning the phone into digital spy in your pocket.
The vulnerability was discovered when Ahmed Mansoor, a UAE human rights defender, received an SMS containing a suspicious link, promising new secrets about torture in Emirati prisons. Instead the link led to a zero-day remote jailbreak for his iPhone.
This research was enabled by Bill’s close relationship with activists and knowledge of the regional context, and highlights the sophistication of commercial hacking tools and the large amount of money and effort that regimes are willing to invest to target human rights defenders.
The investigation revealed that an Israeli company called the NSO Group, is linked to the attack. The NSO Group sells mobile phone hacking tools exclusively to governments. Describing how he found the attack, Marczak said: “we had been tracking what appeared to be NSO’s infrastructure for several months, but had not seen any spyware that talked to it until Mansoor forwarded us the links he received,” adding: “activists like Mansoor are the ‘canary in the coal mine’ for targeted digital attacks — the advanced threats they face today will face us all tomorrow.”
The NSO Group’s spyware can read text messages and emails, record calls, and steal contacts. It can even turn on a phone’s microphone to pick up ambient sounds, collect passwords stored on the phone’s keychain, and trace the whereabouts of the phone via GPS.
The report has received wide media coverage by top news outlets such as the New York Times, The Guardian, the Independent, the BBC, The Wall Street Journal, TechCrunch, Macworld, Motherboard, and Business Insider to name a few.
Israeli firm said to have exploited Apple smartphone flaws to help nations spy on their citizens – The Wall Street Journal
Motherboard reported that the tools and technology needed for such an attack on iPhones is worth around one million dollars
This is the first time that anyone has uncovered such an attack in the wild. Until this month, no one had seen an attempted spyware infection leveraging three unknown bugs, or zero-days, in the iPhone. – Motherboard
However the Israeli NSO group was quoted in several media outlets saying it only sold the technology to authorized governments, the following is form The Guardian:
In a statement which stopped short of acknowledging that the spyware was its own, the NSO Group said its mission was to provide “authorized governments with technology that helps them combat terror and crime”.
Mansoor previously dodged the bullet three times, in 2011, 2012 and 2016 when he was targeted by three different companies: FinFisher, Hacking Team and NSO respectively.
Three different attempts to spy on the “Million Dollar Dissident”, Emirati human rights defender Ahmed Mansoor
To ensure your safety and digital security, you are advised to do the following: