In response to a series of zero-day vulnerabilities, Apple yesterday released an update to the latest version of iOS 9. The update patches several critical zero-day exploits that have apparently already been deployed, allegedly by foreign governments to target activists and dissidents, according to a report from Citizen Lab and Lookout Security.
That report of the hack reached Apple last week. The update is recommended immediately for all devices running iOS 9. Used in tandem, the exploits allow a hacker to hijack an iOS device and control or monitor it remotely.
That would give the cybercriminal access to a device’s camera and microphone, meaning the hacker could take images and files, track the owner’s movements and capture audio calls even in such normally secure apps as WhatsApp.
Jailbreak
The exploits were discovered after a human rights lawyer alerted security researchers to unsolicited text messages he had received. The lawyer, Ahmed Mansoor, received the text messages on August 10 and 11.
The messages promised to reveal secrets about people allegedly being tortured in the United Arab Emirates’ jails if he tapped the links. If Mansoor had done so, his iPhone 6 would have been “jailbroken,” or hit with unauthorized software installations, according to Citizen Lab, a project at the University of Toronto’s Munk School of Global Affairs.
The researchers said the spyware involved was most likely created by NSO Group, an Israeli cyber-war company. Lookout called it the most sophisticated spyware package it has seen, taking advantage of the combination of features only available on mobile devices such as voice communications, camera, email, messaging, GPS, passwords and contact lists.
Updates Are Critical
Bill Marczak of Citizen Lab told reporters that the exploits have probably existed since before last month’s release of iOS 9.3.3. Apple said the vulnerability was fixed with the release of iOS 9.3.5, and advised users to always run the latest version of the mobile operating system.
Zero-day exploits in iOS have emerged before from jailbreakers, security researchers and companies that sell flaws to governments. The latest exploit, though, might mark the first time the action of major active exploits was captured and thoroughly documented. Citizen Lab had been tracking the infrastructure behind the most recent exploit before receiving phishing links that matched a domain Citizen Lab had already been following.
It’s unlikely that any of the exploits reached iOS end users, since they were caught by researchers and Apple. Nevertheless, Apple said it’s critical to install the latest update now that the exploits have been documented. Apple also said that users should also avoid clicking on links in SMS messages from unknown parties since such messages can be spoofed.
