First thing’s first: if you have an iOS device, update it. Right now. Okay. Done? Done. Good.
So Apple discovered that the NSO Group has been using some really nasty security holes in iPhones. That’s particularly concerning because NSO is a company that specializes in helping governments spy on their own people. What’s worse is that NSO’s exploit allowed them to silently jailbreak handsets and access anything including text messages, emails, contacts, and passwords on top of recording audio and tracking its user via GPS.
The exploit used spear phishing, a type of directed phishing attack that would impersonate popular sites like the BBC and then load in their own malicious code.
A report from research organizations Citizen Lab and Lookout Security claim that Ahmed Mansoor, “an internationally recognized human rights defender,” was targeted by his own government in the United Arab Emirates. Mansoor received a suspicious message promising “new secrets” about torture victims if he clicked a link. Mansoor wasn’t fooled, however, and he sent his data to Citizen Lab for analysis.
Citizen Lab recognized the threat and found that the link would take advantage of three zero-day exploits, or vulnerabilities in software that aren’t widely known and patched yet. Had he clicked the links, it would have remotely cracked Mansoor’s iPhone 6 and installed spyware. Security experts call this attack “Trident,” and it’s got a lot of people spooked.
No matter what device you’re using, there’s something, somewhere hidden in its code that can be exploited. That’s just the nature of modern computing software. Code is so complex that it’s essentially impossible to secure every single piece of it. Many companies will pay top dollar ― sometimes millions of dollars ― to get their hands on zero-day exploits. Because they aren’t known by the software company (in this case Apple, but it could be anyone) or the general public, there’s no defense against them. Zero-days cannot be stopped precisely because only a handful of people know they exist.
Other orgs spoofed by NSO via lookalike domains include YouTube, Facebook, Google, Univision, BBC, CNN and AlJazeera pic.twitter.com/nIwKNVDnNC
― Christopher Soghoian (@csoghoian) August 25, 2016
It’s believed that there’s a growing gray market for exploits. Some security firms will offer a bounty for any hacker that can find one, then, the less scrupulous companies can sell them to shady governments or other companies like NGO who can, in turn, help others spy on specific targets.
Mansoor was lucky, but it wasn’t the first time he’s been targeted. As a highly active and well-decorated human rights leader, he’s drawn the ire of the UAE, a state well-known for many human rights abuses. According to Citizen Lab, Mansoor knows of at least two other cyberattacks by the UAE. It’s unknown whether NGO was working with the UAE here as well, but Citizen Lab believes that it’s likely.
Cracking iOS is tough, but the fact that this market exists and that there’s so much money to be made in the process means that it shouldn’t come as a surprise that governments would get involved at some point. What is alarming, however, is that an exploit this bad is out there and being used by those who would do harm. Even worse? There are likely many, many more that we don’t know. After all, that’s the problem with zero-days. We don’t know they exist often until it’s too late.
Thankfully Apple hopped on this one quick, though. If you did as I told you at the start, your phone is safe from Trident. But it should be another sobering reminder that we all need to do our due diligence and be vigilant all the time when it comes to safety. But even then, it might not always be enough.
