In an effort to spy on journalists and dissidents, one of the world’s most evasive arms dealers is believed to have exploited three vulnerabilities of security in popular Apple products. Investigators discovered that an Israeli outfit known as the NSO Group was behind the intrusions. The company sells software that has the ability to invisibly track a target’s mobile phone. The NSO Group has software that is capable of reading text messages and e-mails as well as tracking calls and contacts. On top of that, it can even collect passwords, record sounds, and trace a phone user’s whereabouts.
In response to the intrusions, Apple released a patched version of its current mobile software, iOS 9.3.5 on Thursday. With a normal software update iPhone users can acquire the new patch. The security holes were fixed 10 days after a tip from two researchers, John Scott Ralton and Bill Marczak. Fred Sainz, an Apple company spokesman advises all customers to protect themselves against potential security exploits by always downloading the latest version of iOS.
Things began to emerge clearly on August 10th, when a prominent human rights activist named Ahmed Mansoor of the United Arab Emirates began receiving suspicious text messages. Mansoor has been tracked by similar surveillance software several times already, and these suspicious messages claimed to contain information about the torture of U.A.E. citizens. Mr. Mansoor forwarded the messages to researchers at the Citizen Lab, who confirmed them to be a tracking attempt on his iPhone. This recent effort was far more sophisticated than the attempts previously aimed at his devices. The researchers discovered that it was connecting to 200 servers, several being registered to the NSO Group. The NSO Group presence was also revealed references to Pegasus, the name of their spyware product, strewn throughout the spyware code.
Software security flaws are often traded among hackers, brokers, and companies like NSO Group. Such flaws that are found in Apple’s iOS software are sold at a premium. As a prime example, last year, a zero-day exploit in iOS software was sold to Zerodium, a Washington dealer of zero-days, for $1 million.
Besides Mr. Mansoor, there were other NSO targets such as Rafael Cabrera, a Mexican journalist who broke a story detailing conflicts of interest among Mexico’s ruling family. NSO tools have been crafted to target users in Mexico, Turkey, Yemen, Mozambique, Kenya, and the United Arab Emirates. According to researcher Bill Marczak, the surveillance experienced by the likes of Mr. Mansoor are likely to expand.