Image from  Shutterstock.com (c) Maksim Kabakou
Image from Shutterstock.com (c) Maksim Kabakou

Work by a Canadian human rights and technology research team has led to Apple quickly pushing out an update to iOS devices after the discovery of three vulnerabilities that could allow a attacker to take over devices if owners clicked on a malicious link.

The discovery was made by the University of Toronto’s Citizen Lab after Middle East human rights activist Ahmed Mansoor received suspicious SMS messages with links purporting to lead to “new secrets” about detainees tortured in the United Arab Emirates. Instead the links led to a chain of zero-day exploits that would have jail-broken Mansoor’s Apple 6 handset and installed spyware.

Mansoor contacted Citizen Lab, with whom he has worked before, and in turn the university researchers worked with California-based Lookout Security to track down the background of the exploit.

Citizen Lab received the suspicious link Aug. 10. In response Apple released iOS 9.3.5 on Thursday for iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and late. Public Safety Canada also published an alert warning iOS device users to update their operating systems.

Citizen Lab suspects the malware comes from the government of the UAE,  using infrastructure from the  NSO Group, which it describes as an Israel-based company that sells  a spyware product called Pegasus to governments.

According to Forbes.com, NSO Group responded to a query about the Citizen Lab report by saying, “The company has no knowledge of and cannot confirm the specific cases mentioned in your inquiry.” The statement also emphasized that NSO Group only sells technology to clients, and doesn’t operate it.

Citizen Lab has dubbed the three exploits Trident. In its report it notes that many state-sponsored spyware campaigns against civil society groups and human rights defenders use “just enough” technical sophistication, coupled with carefully planned deception. “This case demonstrates that not all threats follow this pattern.  The iPhone has a well-deserved reputation for security.  As the iPhone platform is tightly controlled by Apple, technically sophisticated exploits are often required to enable the remote installation and operation of iPhone monitoring tools. These exploits are rare and expensive. Firms that specialize in acquiring zero-days often pay handsomely for iPhone exploits.  One such firm, Zerodium, acquired an exploit chain similar to the Trident for one million dollars in November 2015.”

Citizen Lab has complained for some time that companies that make software for so-called lawful access don’t have effective human rights policies or exercise due diligence over the law enforcement agencies or governments who they sell to that abuse their products against political opponents, journalists, and human rights defenders.

This is the third time someone has targeted Mansoor’s devices for spyware using software sold to law enforcement agencies, the report adds.  In 2011, he was targeted with FinFisher’s FinSpy spyware, and in 2012 he was targeted with Hacking Team’s Remote Control System.  Both Hacking Team and FinFisher have been the object of several years of revelations highlighting the misuse of spyware to compromise civil society groups, journalists, and human rights workers, the report says.

When Citizen Lab and Lookout Security tested the link sent to Mansoor on an iPhone they found it downloaded the following chain:

  • CVE-2016-4657: An exploit for WebKit, which allows execution of the initial shellcode
  • CVE-2016-4655: A Kernel Address Space Layout Randomization (KASLR) bypass exploit to find the base address of the kernel
  • CVE-2016-4656: 32 and 64 bit iOS kernel exploits that allow execution of code in the kernel, used to jailbreak the phone and allow software installation.