Got a notification to update your iOS device to 9.3.5? You really shouldn’t wait to install it — the new version fixes three security vulnerabilities that were actively exploited by an Israel-based company in an episode likely involving the UAE government and a spy operation.
The NSO Group sells surveillance software that utilizes three zero-day vulnerabilities in iOS — it’s something that rarely happens in the wild, according to the team of researchers that reported the flaws to Apple. “Zero days” means the flaws were previously unknown, and a company had no time, or “zero days,” to fix them.
It all started with Ahmed Mansoor, a well-recognized human rights defender based in the United Arab Emirates. On August 10 and 11, Mansoor got an SMS on his iPhone “promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link.
Mansoor didn’t click the link — he sent it straight to Citizen Lab researchers housed in the University of Toronto. If Mansoor had followed the link, the exploit would have remotely jailbroken his iPhone 6, and installed spyware.
“Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements,” according to Citizen Labs’ report.
The team worked with researchers at Lookout Security and managed to track the exploit back to NSO Group, a “cyber-war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product. Oddly, NSO Group is owned by an American venture capital firm named Francisco Partners Management.
“The high cost of iPhone zero-days, the apparent use of NSO Group’s government-exclusive Pegasus product, and prior known targeting of Mansoor by the UAE government provide indicators that point to the UAE government as the likely operator behind the targeting,” the researchers write in the report.
Immediately after discovering Trident, Citizen Labs and Lookout Security notified Apple. The Cupertino company said it would address the vulnerabilities — and 10 days later, Apple patched them up in iOS 9.3.5. It’s likely the last update to iOS 9, as iOS 10 is likely to release soon.
The exploit and patch come weeks after Apple announced its first bug bounty program, which is to begin as an invitation-only process with the company doling out rewards as high as $200,000 for discovered vulnerabilities.
The update is available to all devices running iOS 9 through an over-the-air update.