How a human rights activist sparked an iPhone security update

After an activist's iPhone was targeted with revolutionary spyware, Apple fixed all three 'zero day' flaws and built the patches into iOS 9.3.5.

Daniella Cheslow/AP
The Israeli NSO Group software company had offices in this building, seen Aug. 25 in Herzliya, Israel, until few months ago. A botched attempt to break into the iPhone of a UAE activist using hitherto unknown espionage software has trigged a global upgrade of Apple's mobile operating system, researchers said Thursday.

A trio of previously unknown weaknesses in Apple's iOS security were unearthed when a human rights activist from the United Arab Emirates (UAE) received a malicious text message from what turned out to be an Israeli spyware firm, NSO Group.

Ahmed Mansoor, whose human rights work has caused him to be targeted by his government in the past, suspected he should not click the link in a text he received August 10, which claimed to lead to information about torture in UAE prisons. Instead he brought it to the attention of the internet watchdog group Citizen Lab, which turned to mobile security company Lookout for help picking apart the spyware.

"It is amazing the level they've gone through to avoid detection," Mike Murray, a vice president at Lookout, told the Associated Press. The software designers installed "a hair-trigger self-destruct," he said.

It took the security experts two weeks to pick apart the software, which would have allowed the NSO Group, or whoever bought the software from them, to read Mr. Mansoor's text messages and emails, track his calls and contacts, record sounds around him, collect his passwords, and track his location.

"The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations," NSO Group spokesperson Zamir Dahbash told The New York Times, adding that they have no control over how the software they design are used.

In an impressively quick turn around, Apple fixed all three flaws exposed by Citizen Lab and Lookout in just 10 days, and released an iOS 9.3.5 update that included the new security updates.

"We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits," said Fred Sainz, an Apple spokesman, according to the Times.

Finding one, much less three, "zero day" security flaws is a rarity: the term refers to the fact that Apple did not know about them previously, and therefore had zero days to patch them. Security holes of this kind are incredibly valuable to spy agencies and law enforcement networks: last year, security company Zerodium paid $1 million to hackers who uncovered another zero day flaw in Apple software.

James Comey, the director of the Federal Bureau of Investigation, revealed that the FBI paid hackers to get into the iPhone of one of the shooters in the San Bernardino, Calif. mass killing after Apple refused to design a back door entrance to aid in the investigation.

Similarly, Apple offers a "bug bounty" to hackers who report vulnerabilities directly to Apple, to discourage them from selling the information to malicious companies or to government agencies.

NSO Group’s spyware has been used against targets in Yemen, Turkey, Mozambique, Mexico, Kenya, and the UAE, the Times reports. 

This report includes material from the Associated Press.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.