Citizen Lab researchers discover attack on iPhone belonging to UAE activist
Two University of Toronto researchers from Munk School of Global Affairs Citizen Lab have uncovered an iPhone-based attack on Ahmed Mansoor, a prominent United Arab Emirates human rights defender.
Bill Marczak and John Scott-Railton, with the collaboration of Lookout Security, discovered the attack, which used Zero Day exploits against Apple鈥檚 iOS operating system. Citizen Lab shared the preliminary findings with Lookout Security for verification and further analysis and undertook an immediate responsible disclosure of the zero days to Apple Inc.
The report, , is being published today in conjunction with Apple鈥檚 release of iOS 9.3.5, which patches the vulnerabilities. Lookout is also publishing a technical analysis.
Ahmed Mansoor is an internationally recognized human rights defender, and a 2015 laureate of the (sometimes referred to as a 鈥溾), based in the United Arab Emirates (UAE). On August 10 and 11, he received SMS text messages on his iPhone promising 鈥渟ecrets鈥 about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Marczak and Scott-Railton who recognized the links as belonging to NSO Group, an Israel-based 鈥渃yber war鈥 company that sells government-exclusive 鈥渓awful intercept鈥 spyware. NSO Group is owned by an American venture capital firm, Francisco Partners Management.
The ensuing investigation, a collaboration between researchers from Citizen Lab and Lookout Security, determined that the links led to a chain of (鈥渮ero-days鈥), which we are calling the Trident, that would have remotely jailbroken Mansoor鈥檚 stock iPhone 6 and installed sophisticated spyware. Once infected, Mansoor鈥檚 phone would have become a digital spy in his pocket, capable of employing his iPhone鈥檚 camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.
鈥淲e had been tracking what appeared to be NSO鈥檚 infrastructure for several months, but had not seen any spyware that talked to it until Mansoor forwarded us the links he received,鈥 said Marczak. 鈥淎ctivists like Mansoor are the 鈥榗anary in the coal mine鈥 for targeted digital attacks -- the advanced threats they face today will face us all tomorrow.鈥
Once the researchers confirmed the presence of what appeared to be iPhone zero-days, they quickly initiated a responsible disclosure process by notifying Apple and sharing their findings. Apple responded promptly releasing the iOS 9.3.5 patch, which closes the vulnerabilities that NSO appears to have been supplying to remotely hack iPhones.
The cost of a chain of zero day exploits, the use of NSO Group's government-exclusive exploit infrastructure, and by the UAE government provides strong circumstantial evidence that the UAE government is once again likely responsible for this attack. Remarkably, this case marks the third commercial spyware suite employed in attempts to compromise Mansoor (see illustration, below). In 2011, he was targeted with FinFisher鈥檚 FinSpy spyware, and in 2012 he was targeted with Hacking Team鈥檚 Remote Control System. Both Hacking Team and FinFisher have been the subject of several years鈥 of revelations highlighting the use of these tools to target civil society groups, journalists, and human rights workers. The attack the Citizen Lab researchers describe in their report may be the most expensive effort yet to compromise Mansoor.
鈥淲e have never worked with someone who has been targeted with so much expensive commercial spyware. First Finfisher in 2011, then Hacking Team in 2012, and now NSO Group. Mansoor is a million dollar dissident.鈥 said Scott-Railton.
Read an exclusive 老司机直播 News interview with Scott-Railton
Troublingly, all three of the companies whose spyware was used to target Mansoor are owned and/or operated by companies based in countries with democratic systems of governance: The United States and Israel (NSO Group), Germany and the UK (Gamma Group鈥檚 FinFisher) and Italy (Hacking Team).
鈥淭hat a country would expend millions of dollars, and contract with one of the world鈥檚 most sophisticated cyber warfare units, to get inside the device of a single human rights defender is a shocking illustration of the serious nature of the problems affecting civil society in cyberspace. This report should serve as a wake-up call that the silent epidemic of targeted digital attacks against civil society is a very real crisis of democracy and human rights,鈥 said Ron Deibert, director of the Citizen Lab and professor of political science at the Munk School of Global Affairs.