Israeli tech company’s spyware turns UAE activist’s iPhone into a self-tracking device

“We had been tracking what appeared to be NSO’s infrastructure for several months, but had not seen any spyware that talked to it until Mansoor forwarded us the links he received,” said Marczak. “Activists like Mansoor are the ‘canary in the coal mine’ for targeted digital attacks — the advanced threats they face today will face us all tomorrow.”

Once the researchers confirmed the presence of what appeared to be iPhone zero-days, they quickly initiated a responsible disclosure process by notifying Apple and sharing their findings. Apple responded promptly releasing the iOS 9.3.5 patch, which closes the vulnerabilities that NSO appears to have been supplying to remotely hack iPhones.

The researchers note that the cost of a chain of zero day exploits, the use of NSO Group’s government-exclusive exploit infrastructure, and prior known targeting of Mansoor by the UAE government provides strong circumstantial evidence that the UAE government is once again likely responsible for this attack. Remarkably, this case marks the third commercial spyware suite employed in attempts to compromise Mansoor. In 2011, he was targeted with FinFisher’s FinSpy spyware, and in 2012 he was targeted with Hacking Team’s Remote Control System. Both Hacking Team and FinFisher have been the subject of several years’ of revelations highlighting the use of these tools to target civil society groups, journalists, and human rights workers. The attack the Citizen Lab researchers describe in their report may be the most expensive effort yet to compromise Mansoor.

“We have never worked with someone who has been targeted with so much expensive commercial spyware. First Finfisher in 2011, then Hacking Team in 2012, and now NSO Group. Mansoor is a million dollar dissident,” said Scott-Railton.

Ron Deibert,director of the Citizen Lab and professor of political science at the Munk School of Global Affairs, said that, troublingly, all three of the companies whose spyware was used to target Mansoor are owned or operated by companies based in countries with democratic systems of governance: The United States and Israel (NSO Group), Germany and the United Kingdom (Gamma Group’s FinFisher), and Italy (Hacking Team).

“That a country would expend millions of dollars, and contract with one of the world’s most sophisticated cyber warfare units, to get inside the device of a single human rights defender is a shocking illustration of the serious nature of the problems affecting civil society in cyberspace. This report should serve as a wake-up call that the silent epidemic of targeted digital attacks against civil society is a very real crisis of democracy and human rights,” said Deibert.

NSO’s chief executive, Shalev Hulio referred questions to a spokesman, Zamir Dahbash, who said the company “cannot confirm the specific cases” covered in the reports.

Dahbash told the Guardian that NSO made sales within Israeli export laws to governments, which then operated the software. “The agreements signed with the company’s customers require that the company’s products only be used in a lawful manner. Specifically, the products may only be used for the prevention and investigation of crimes.”

NSO marketing material says it also has capabilities for Android and BlackBerry devices. No version of the software has been exposed, indicating it remains effective.

— Read more in The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender (Citizen Lab, Munk School of Global Affairs, University of Toronto, 25 August 2016); Ronald Deibert, Disarming a Cyber Mercenary, Patching Apple Zero Days (Citizen Lab, Munk School of Global Affairs, University of Toronto, 25 August 2016); and an exclusive U of T News interview with Scott-Railton