Disarming a Cyber Mercenary, Patching Apple Zero Days

I am pleased to announce a new Citizen Lab report: “The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender,” authored by senior researchers Bill Marczak and John Scott Railton.

If you are one of hundreds of millions of people that own an iPhone, today you will receive a critical security patch.  While updating your software, you should pause for a moment to thank human rights activist, Ahmed Mansoor.

Mansoor is a citizen of the United Arab Emirates, and because he’s a human rights activist in an autocratic country his government views him as a menace.  For security researchers at the Citizen Lab, on the other hand, Mansoor’s unfortunate experiences are the gift that won’t stop giving.

Mansoor is an outspoken defendant of human rights, civil liberties, and free expression in a country that routinely flouts them all. While he has been praised internationally for his efforts — in 2015, Mansoor was given the prestigious Martin Ennals Award for Human Rights Defenders — his government has responded with imprisonment, beatings, harassment, a travel ban…and persistent attempts to surreptitiously spy on his digital communications.

For example, in 2011 Mansoor was sent a PDF attachment that was loaded with a sophisticated spyware manufactured by the British / German company, Gamma Group.  Fortunately, he decided not to open it.

In 2012, he was targeted with more spyware, this time manufactured by an Italian company, Hacking Team.  His decision to share that sample with Citizen Lab researchers led to one of our first detailed reports on the commercial spyware trade.

And so earlier this month, when Mansoor received two unsolicited SMS messages on his iPhone 6 containing links about “secrets” concerning detainees in UAE prisons, he thought twice about clicking on them.  Instead, he forwarded them to us for analysis. It was a wise move. 

Citizen Lab researchers, working in collaboration with the security company Lookout, found that lurking behind those SMS messages was a series of “zero day” exploits (which we call “The Trident”) designed to take advantage of unpatched vulnerabilities in Mansoor’s iPhone. 

To say these exploits are rare is truly an understatement.  Apple is widely renown for its security — just ask the FBI.  Exploits of its operating system run on the order of hundreds of thousands of dollars each.  One company that resells zero days paid $1 million dollars for the purchase of a single iOS exploit, while the FBI reportedly paid at least $1.3 million for the exploit used to get inside the San Bernadino device.  The attack on Mansoor employed not one but three separate zero day exploits.

Had he followed those links, Mansoor’s iPhone would have been turned into a sophisticated bugging device controlled by UAE security agencies. They would have been able to turn on his iPhone’s camera and microphone to record Mansoor and anything nearby, without him being wise about it. They would have been able to log his emails and calls — even those that are encrypted end-to-end. And, of course, they would have been able to track his precise whereabouts.

Through careful, detailed network analysis, our team (led by Bill Marczak and John Scott Railton) was able to positively link the exploit infrastructure behind these exploits to an obscure company called “NSO Group”. 

Don’t look for them online; NSO Group doesn’t have a website. They are an Israeli-based “cyber war” company owned by an American venture capital firm, Francisco Partners Management, and founded by alumni of the infamous Israeli signals intelligence agency, Unit 8200.  This unit is among the most highly ranked state agencies for cyber espionage, and is allegedly responsible (along with the U.S. NSA) for the so-called “Stuxnet” cyber attack on Iran’s nuclear enrichment facilities.

In short: we uncovered an operation seemingly undertaken by the United Arab Emirates using the services and technologies of an Israeli “cyber war” company who used precious and very expensive zero day iOS exploits to get inside an internationally-renowned human rights defender’s iPhone.

That’s right: Not a terrorist. Not ISIL. A human rights defender.

(An important aside: we also were able to identify what we suspect are at least two other NSO Group-related targeted digital attack campaigns: one involving an investigative journalist in Mexico, and the other a tweet related to an opposition politician in Kenya).

Once we realized what we had uncovered, Citizen Lab and Lookout contacted Apple with a responsible disclosure concerning the zero days.   

Our full report is here.

Apple responded immediately, and we are releasing our report to coincide with their public release of the iOS 9.3.5 patch.

That a country would expend millions of dollars, and contract with one of the world’s most sophisticated cyber warfare units, to get inside the device of a single human rights defender is a shocking illustration of the serious nature of the problems affecting civil society in cyberspace.  This report should serve as a wake-up call that the silent epidemic of targeted digital attacks against civil society is a very real and escalating crisis of democracy and human rights.

What is to be done?  Clearly there is a major continuing problem with autocratic regimes abusing advanced interception technology to target largely defenceless civil society organizations and human rights defenders.   The one solution that has been proposed by some — export controls on items related to “intrusion software” — appears to have had no effect curbing abuses. In fact, Israel has in place export controls ostensibly to prevent this very sort of abuse from happening. But something obviously slipped through the cracks…

Maybe it is time to explore a different strategy — one that holds the companies directly responsible for the abuse of their technologies.  It is interesting in this respect that NSO Group masqueraded some of its infrastructure as government, business, and civil society websites, including the International Committee for the Red Cross, Federal Express, Youtube, and Google Play. 

Isn’t that fraud against the user? Or a trademark violation? If not considered so now, maybe it should be.

Meanwhile, please update your iPhone’s operating system, and while you’re doing it, spare a thought for Ahmed Mansoor.

All iPhone owners should update to the latest version of iOS immediately. If you’re unsure what version you’re running, you can check Setting > General > About > Version.