A trio of previously unknown weaknesses in Apple's iOS security were unearthed when a human rights activist from the United Arab Emirates (UAE) received a malicious text message from what turned out to be an Israeli spyware firm, NSO Group.
Ahmed Mansoor, whose human rights work has caused him to be targeted by his government in the past, suspected he should not click the link in a text he received August 10, which claimed to lead to information about torture in UAE prisons. Instead he brought it to the attention of the internet watchdog group Citizen Lab, which turned to mobile security company Lookout for help picking apart the spyware.
"It is amazing the level they've gone through to avoid detection," Mike Murray, a vice president at Lookout, told the Associated Press. The software designers installed "a hair-trigger self-destruct," he said.
It took the security experts two weeks to pick apart the software, which would have allowed the NSO Group, or whoever bought the software from them, to read Mr. Mansoor's text messages and emails, track his calls and contacts, record sounds around him, collect his passwords, and track his location.
"The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations," NSO Group spokesperson Zamir Dahbash told The New York Times, adding that they have no control over how the software they design are used.
In an impressively quick turn around, Apple fixed all three flaws exposed by Citizen Lab and Lookout in just 10 days, and released an iOS 9.3.5 update that included the new security updates.
"We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits," said Fred Sainz, an Apple spokesman, according to the Times.
Finding one, much less three, "zero day" security flaws is a rarity: the term refers to the fact that Apple did not know about them previously, and therefore had zero days to patch them. Security holes of this kind are incredibly valuable to spy agencies and law enforcement networks: last year, security company Zerodium paid $1 million to hackers who uncovered another zero day flaw in Apple software.
James Comey, the director of the Federal Bureau of Investigation, revealed that the FBI paid hackers to get into the iPhone of one of the shooters in the San Bernardino, Calif. mass killing after Apple refused to design a back door entrance to aid in the investigation.
Similarly, Apple offers a "bug bounty" to hackers who report vulnerabilities directly to Apple, to discourage them from selling the information to malicious companies or to government agencies.
NSO Group’s spyware has been used against targets in Yemen, Turkey, Mozambique, Mexico, Kenya, and the UAE, the Times reports.
This report includes material from the Associated Press.