Apple’s iOS 9 had a security flaw with a new zero-day vulnerability called Trident, which could allow the iPhone to be jailbroken, and then used to spy on the customer. But Apple, which is known to take device security very seriously, has responded to threat quickly and issued a new security update 9.3.5 for iOS users.
The issue was discovered after a Human Rights Activist in UAE Ahmed Mansoor got a suspicious message on his iPhone asking him to open a link, which would give details of torture in the UAE prisons. But Mansoor reported the issue to Citizen Lab, an internet watchdog, who eventually discovered the flaw. The UAE activist suspected an attack and was also targeted in the recent past by spyware due to his vociferous and public support for Human Rights in his homeland.
Now Citizen Lab and LookOut, which is another mobile security firm, have put out detailed blog posts on Trident, the zero-day exploit which affects iPhones and iPads, and can be used to install sophisticated spyware. For all iPhone users, the new update is a must, say both firms.
Interestingly, the firms have traced the potential spyware to an Israeli firm called NSOGroup, which is known for selling these to governments, in order to fight ‘cyber-terrorism.’ It is also believed to behind Pegasus, a spyware suite, sold exclusively to government agencies and used in phishing attacks via SMS.
It is believed the Pegasus spyware was sent to Mansoor’s iPhone via the malicious link. Once done, all of his calls, messages, emails, etc would have been recorded and sent to the spying agency.
According to the blogpost from LookOut, Trident attack uses “three zero-day vulnerabilities” on iOS to hack into an iPhone or iPad. Lookout says it can silently collect information from apps including Gmail, Facebook, Skype, WhatsApp, Calendar, FaceTime, Line, Mail.Ru, and others.
So how can WhatsApp be spied upon, even though the app is end-to-end encrypted? End-to-end encryption on any app doesn’t protect your data if the device is already compromised at a root level. Any application which gains privilege access to your root kernel is probably spying on all the other apps and their data.
According to Citizen Labs, Trident manages to gain access at this level, and also disables updates from Apple, and removes any other jailbreak, making sure the spyware suite is installed on the iPhone.
In a separate post, Citizen Lab points out the exact vulnerabilities, which are used by Trident to install spyware on the system. These are listed below:
CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution
CVE-2016-4655: An application may be able to disclose kernel memory
CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges
According to LookOut, Pegasus’ attack begins with an SMS which has a malicious link (usually relies on “anonymized domains”) and then the malware is installed on the iPhone.
Worryingly this spyware can even activate the iPhone’s camera, microphone and thus listen in on conversations around the device, track a victim’s movement, steal messages, etc, and converts the iPhone into a sophisticated spying tool.
According to LookOut, while normal individuals might not be at risk, since Pegasus carries a high price, CEOs, CTOs of firms need to watch out well as enterprises where there are security risks involved.
Citizen Lab also says such exploits are rare and expensive, and the iPhone security reputation means “technically sophisticated exploits” are needed to install such spyware. Citizen Lab also says if Mansoor has clicked on the link the spyware would have recorded his WhatsApp and Viber calls as well as data from Skype, Facebook, KakaoTalk, Telegram, and others. Even usually secure services would have failed because the spyware attacks the iPhone at a root level, which in most cases is inaccessible by design.
Both LookOut and Citizen Lab have praised Apple for being very responsive and patching Trident in its 9.3.5 update, and recommend all iPhone users should immediately get on the new version of the OS.