(The following post is reprinted from a post by Geoffrey King for a blog for the Committee to Protect Journalists, covered by Creative Commons.)
A rare and serious vulnerability in Apple’s iOS operating system has been discovered by researchers at the University of Toronto’s Citizen Lab, which just published a report detailing its findings. It is the first known remote iOS vulnerability of its kind. Disturbingly, the company behind malware designed to exploit the security flaw may have also helped target an investigative journalist in Mexico in 2015, Citizen Lab said.
The report illustrates the growing threat that commercially available malware poses to journalists around the world. Apple’s iOS-based devices are generally considered by experts to be among the safest options for journalists in the field.
That such an attack was possible is “mind-boggling,” Citizen Lab senior research fellow and UC Berkeley Ph.D. student Bill Marczak told CPJ. “I’ve never heard of this before.”
Apple issued a security update today in iOS 9.3.5 to address the vulnerability. An attacker could use the security flaw to remotely commandeer a target device running 9.3.4 or below, so CPJ strongly urges journalists who own iOS devices — such as iPhones and iPads — to install the update immediately. (CPJ always recommends that journalists install security updates as soon as they become available, and enable automatic security updates on devices for which it is an option.)
The surprising vulnerability discovered in iOS should not, however, prompt journalists to give up on their Apple devices, whose numerous factors to protect users’ privacy and security include robust encryption by default — unlike many phones running versions of the Android operating system.
“If this had happened on an Android device, who knows how long we’d have to wait until a patch was available,” Eva Galperin, global policy analyst at Electronic Frontier Foundation, told CPJ via Twitter.
While iOS is developed, maintained, and updated by Apple, Android is an open source platform developed by Google but modified by phone manufacturers to suit their needs. Android’s fragmentation means that Google has little control over when devices receive security updates.
Citizen Lab researchers Marczak and John Scott-Railton wrote that they discovered the iOS vulnerability after Ahmed Mansoor, an award-winning human rights defender in the United Arab Emirates, forwarded messages containing suspicious links he began receiving two weeks ago. To assess whether the links led to malware designed to take over Mansoor’s iPhone 6, Marczak opened one of them using a freshly-wiped iPhone running a recent version of iOS. To the naked eye, what happened next was subtle, Marczak told CPJ. But by monitoring the phone’s activity on the network, he was able to witness an efficient cascade of actions designed to compromise the phone entirely.
“It was very deliberate and well thought out,” Marczak told CPJ.
According to the Citizen Lab report, technical details of the attack indicate the malware was created by the Israeli surveillance firm NSO Group.
Zamir Dahbash, an NSO Group spokesman, told The New York Times that the company “sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations.” He would not say if the software is used by government agencies in the U.A.E. or Mexico, but said, “The products may only be used for the prevention and investigation of crimes,” the Times reported.