The much-talked-about hack that would allow governments to spy on your every move through your iPhone and iPad has become reality.
Apple issued a security update for those devices Thursday after researchers discovered spyware that turns hand-held Apple devices into the mother of all snoops, allowing remote operators to intercept all voice and data communications and pass along every photograph and video.
Researchers said spyware had never been found before this month that could “jailbreak” an iPhone or iPad and seize total control of its functions.
Efforts to use the spyware have surfaced in Mexico and the United Arab Emirates, where critics of the government appear to have been targeted for surveillance.
“There’s pretty much nothing that this spyware couldn’t get off the iPhone,” said Bill Marczak, one of two researchers at the Citizen Lab at the University of Toronto who discovered the spyware. “It’s a total and complete compromise of the phone.”
Thursday’s development is a hit on the reputation of Apple products as largely hack-proof, and it raises questions over whether the spyware is in widespread use by authoritarian governments around the world.
The Israeli company thought to have produced the spyware said in a statement that it insisted that governments that bought its products use them only in lawful ways. Coding in the spyware indicates it has been around since 2013.
The spyware’s existence also calls into question the security of widely used encrypted communications programs such as WhatsApp and Telegram, both of whose contents can be intercepted on a compromised device before they are scrambled, according to a San Francisco cyber forensics company, Lookout, that joined Citizen Lab in the probe.
Nothing is hack-proof, really. There’s always ways into these devices.
Bill Marczak, Citizen Lab
The story of how the researchers uncovered the spyware and the evidence of its use is worthy of a spy novel itself.
Marczak and a colleague, John Scott-Railton, began tracking the spyware, which they call the Trident exploit, after a human rights defender in the United Arab Emirates alerted researchers to suspicious text messages.
The rights activist, Ahmed Mansoor, received a text message on his iPhone on the morning of Aug. 10. It said in Arabic: “New secrets about torture of Emiratis in state prisons,” and contained a hyperlink to an unknown site. A similar text message arrived the next day.
Mansoor was wary. He’d already been targeted by other attempts. In all cases, the text messages were bait to get him to click on a link, which would have led to the infection of his Apple iPhone 6 and the control of the device through spying software created by NSO Group, a shadowy Israeli surveillance company, Marczak said.
Marczak and his colleague infected a test iPhone of their own and “watched as unknown software was remotely implanted on our phone,” the two said in a report. They then contacted Lookout to help in reverse-engineering the spyware.
They quickly learned that the infection would have turned Mansoor’s iPhone into a pocket undercover spy “capable of employing his iPhone’s camera and microphone to eavesdrop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps and tracking his movements.” Viber is another common communications program.
NSO Group, based in Herzliya, on the northern outskirts of Tel Aviv, was founded in 2010 and describes itself as a leader in “cyber warfare” and a vendor of surveillance software to governments around the world. It maintains no website and keeps a low profile.
The Citizen Lab report said NSO Group had been sold to a San Francisco private equity group, Francisco Partners Management LLC, in 2014. A call of inquiry to that group led an NSO Group spokesman, Zamir Dahbash, to call McClatchy.
Infection can turn an iPhone into a pocket undercover spy capable of using the camera and microphone to eavesdrop – recording calls, logging messages and tracking movements
He offered a statement that said the company’s mission was “to help make the world a safer place” and that it sold only to authorized government agencies to help them “combat terror and crime.” NSO Group does not operate any of its systems, he said, only selling the software.
“The agreements signed with the company’s customers require that the company’s products only be used in a lawful manner. Specifically, the products may only be used for the prevention and investigation of crimes,” Dahbash said.
He would answer no further questions and would not confirm that the company had contracts with any agencies of the UAE government or with the government of Mexico, where another case emerged of efforts to infect iPhones with NSO spyware.
As the researchers traced the activities of their own infected iPhone, it led to an infrastructure of some 200 websites and servers used by NSO Group. The team then punched in the internet addresses to Google and Twitter “to see if anybody was sharing links to them,” Marczak said.
Also targeted were three Mexican journalists who served on the team that in November 2014 revealed that the wife of Mexico’s president had received a $7 million mansion from one of the government’s biggest contractors
That’s when they came across a tweet by Rafael Cabrera, a Mexican editor who works for Aristegui Online, a muckraking portal that has repeatedly broken stories on alleged influence trafficking by President Enrique Peña Nieto and his wife. Cabrera noted in the tweet that he’d gotten a “weird” text message that seemed to bait him to click on a suspicious link.
“We realized, oh my gosh, this guy received links which were connected to these websites that we connected to NSO Group,” Marczak said.
Cabrera, trapped in a traffic jam in Mexico City, said in a brief cellular phone interview that three members of Aristegui Online had been targeted with the text messages. In addition to himself, the portal’s lead investigator, Daniel Lizarraga, and another prominent journalist, Salvador Camarena, received texts.
All were on the team that in November 2014 revealed that Peña Nieto’s wife had received a $7 million mansion from one of the government’s biggest contractors. The team also took part, along with McClatchy and scores of other media outlets around the world, in the probe of the Panama Papers, the trove of documents from a Panamanian law firm that opened a window earlier this year on the murky world of offshore shell companies.
Among the revelations from the documents was that the contractor who had built the mansion for the Mexican first lady had also sought to create a string of offshore trusts and companies to hide more than $100 million.
Cabrera said he could not pin blame on who might have wanted to spy on his iPhone.
“I can’t say if it was an individual or if it was the government,” Cabrera said.
The type of spyware sold by NSO Group routinely costs at least $1 million, according to a report by Lookout, making it a tool available mainly to governments.
Apple Inc. was notified by Citizen Lab and Lookout on Aug. 15 of the vulnerability in the iPhones and iPads, and it said the security update provided Thursday blocked the use of Trident spyware.
“We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits,” Apple spokesman Fred Sainz said in an email.
But Marczak said Apple devices, like all others, faced an increasing onslaught from malware. “Nothing is hack-proof, really,” he said. “There’s always ways into these devices.”
Tim Johnson: 202-383-6028, @timjohnson4