By Joseph Menn
SAN FRANCISCO, Aug 28 – Apple Inc issued a patch on Thursday to fix a dangerous security flaw in iPhones and iPads after researchers discovered that a prominent United Arab Emirates dissident’s phone had been targeted with a previously unknown method of hacking.
The thwarted attack on the human rights activist, Ahmed Mansoor, used a text message that invited him to click on a web link. Instead of clicking, he forwarded the message to researchers at the University of Toronto’s Citizen Lab.
The hack is the first known case of software that can remotely take over a fully up-to-date iPhone 6.
Experts at Citizen Lab worked with security company Lookout and determined that the link would have installed a program taking advantage of a three flaws that Apple and others were not aware of. The researchers disclosed their findings on Thursday.
“Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements,” Citizen Lab wrote in a report released on Thursday.
The researchers said they had alerted Apple a week and a half ago, and the company developed a fix and distributed it as an automatic update to iPhone 6 owners.
Apple spokesman Fred Sainz confirmed that the company had issued the patch after being contacted by researchers.
The Citizen Lab team attributed the attack software to a private seller of monitoring systems, NSO Group, an Israeli company that makes software for governments which can secretly target mobile phones and gather information. Tools such as that used in this case, a remote exploit for a current iPhone, cost as much as $1 million.
NSO Chief Executive Shalev Hulio referred questions to spokesman Zamir Dahbash, who said the company “cannot confirm the specific cases” covered in the Citizen Lab and Lookout reports.
Dahbash said NSO sells within export laws to government agencies, which then operate the software.
“The agreements signed with the company’s customers require that the company’s products only be used in a lawful manner,” he added. “Specifically, the products may only be used for the prevention and investigation of crimes.”
Dahbash did not answer follow-up questions, including whether the exposure of the tools use against Mansoor in UAE and a Mexican journalist would end any sales to those countries.
NSO has kept a low profile in the security world, despite its 2014 sale of a majority stake for $120 million to California private equity firm Francisco Partners. That company’s chief executive, Dipanjan Deb, did not return a call on Thursday. In November 2015, Reuters reported that NSO had begun calling itself “Q” and was looking for a buyer for close to $1 billion.
Sarah McKune, senior legal adviser to Citizen Lab, said Israel tries to follow the strictures of the Wassenaar Arrangement, which puts controls on the international sale of nuclear and chemical weapons technology and more recently cyber intrusion tools.
NSO may have had to apply for an export license, she added, saying that raised questions about “what consideration was given to the human rights record of UAE.”
The Israeli embassy in Washington did not respond to an email seeking comment.
NSO marketing material says that it also has capabilities for Android and BlackBerry devices. No version of the software has been exposed, indicating it remains effective.
Citizen Lab did not directly accuse UAE of carrying out the attack on Mansoor with NSO gear called Pegasus, but it said other NSO attacks on critics of the regime were connected to the government.
It also said a Mexican journalist and a minority party politician in Kenya had been targeted with NSO software and that domain names set up for other attacks referred to entities in Uzbekistan, Thailand, Saudi Arabia, Turkey, and other nations, suggesting that other targets lived in those nations.
A call to the UAE embassy in Washington was not immediately returned.
The market for “lawful intercept,” or government hacking tools, has come under increased scrutiny with revelations about authoritarian customers and noncriminal victims.
Two popular vendors, Hacking Team of Italy and Gamma Group of the United Kingdom, have had their wares exposed by researchers or hackers.
Mansoor had previously been targeted with software from both of those companies, according to Citizen Lab.
“I can’t think of a more compelling case of serial misuse of lawful intercept malware than the targeting of Mansoor,” said one of the Citizen Lab researchers, John Scott-Railton.