iOS vulnerabilityIsraeli tech company’s spyware turns UAE activist’s iPhone into a self-tracking device

Published 29 August 2016

Two University of Toronto researchers have uncovered an iPhone-based attack on Ahmed Mansoor, a prominent United Arab Emirates human rights defender. The attack employed spyware produced by NSO Group — an Israeli technology company founded by former members of Unit 8200, the Israeli military’s electronic surveillance branch – which is sold to government for the purpose of spying on their citizens.

Two University of Toronto researchers from Munk School of Global Affairs Citizen Lab have uncovered an iPhone-based attack on Ahmed Mansoor, a prominent United Arab Emirates human rights defender.

Bill Marczakand John Scott-Railton, with the collaboration of Lookout Security, discovered the attack, which used Zero Day exploits against Apple’s iOS operating system. Citizen Lab shared the preliminary findings with Lookout Security for verification and further analysis and undertook an immediate responsible disclosure of the zero days to Apple Inc. 

The report, The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, was published last Thursday in conjunction with Apple’s release of iOS 9.3.5, which patches the vulnerabilities. Lookout also published a technical analysis.

Ahmed Mansoor is an internationally recognized human rights defender, and a 2015 laureate of the Martin Ennals Award (sometimes referred to as a “Nobel prize for human rights”), based in the United Arab Emirates (UAE). On 10 and 11 August, he received SMS text messages on his iPhone promising “secrets” about detainees tortured in UAE jails if he clicked on an included link. U Toronto says that instead of clicking, Mansoor sent the messages to Marczak and Scott-Railton who recognized the links as belonging to NSO Group, an Israel-based “cyber war” company that sells government-exclusive “lawful intercept” spyware. San Francisco-based venture capital firm Francisco Partners Management is a major investor in NSO Group.

Forbes reports that NSO Group was founded by former members of Unit 8200, the Israeli military’s electronic surveillance branch.

The ensuing investigation, a collaboration between researchers from Citizen Lab and Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”), which the researchers call the Trident, which would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.