The Cyber Threat: iPhone Software Targeted in Government-Linked Hack

Rare zero day flaws found in Apple iOS

August 29, 2016

Years ago during lunch with a recently-retired National Security Agency cyber security official, I immediately noticed the former official’s iPhone as he placed it on the table next to his fork. Wow, I thought, if an NSA electronic spook is using an iPhone, those babies must be secure. Days later I traded in my cell phone for an iPhone and have been using them ever since.

I endured Apple’s proprietary restrictions, like the inability to change batteries, a company tactic that forces customers to buy a new phone every few years as the battery gradually wears out. So too did I accept the iPhone’s inability to expand its memory.

As someone who reports on cyber threats and is not viewed as a favorite reporter by certain foreign governments (and one heavily politicized American one), I decided to accept the limits on Apple handheld devices that today more and more have come to dominate our waking hours. NSA is not alone in adopting the widespread use of Apple devices for better security. Several federal agencies and military services also demand use of iPhones in key locations because of their inherent strong security. There is no question that iPhones are much safer against cyber attacks than other operating systems, like Google’s Android mobile OS.

But that is changing. Last week, Apple sent out an urgent notice to all customers to update their iPhone software with a security patch. Security flaws were discovered in the operating system revealing that the cyber threat to iPhones, once the gold standard for handheld security, is reaching new heights.

Apple didn’t even know about the latest cyber attack against its software until two security companies discovered what security specialists call "zero day" flaws in the iPhone operating system. Zero days are the coin of the realm for hackers and foreign governments seeking to get into information systems, including computers and smartphones.

They’re called zero days because you have zero time to fix the security hole once hackers find them and start using them in attacks. The only solution is to patch the hole after the attacks take place, to limit the data theft or other damage.

The security firms Lookout and Toronto-based Citizen Lab found three zero days targeting iOS software that were used against the iPhone 6 of Ahmed Mansoor in early August. Mansoor, a United Arab Emirates-based pro-democracy activist, was sent text messages promising secrets on detainees held in UAE jails if he clicked on a link. He instead contacted the security firms.

Electronic analysis showed the malware link was a hacking ploy using the three unknown zero days that researchers traced to an Israeli-based cyber security firm called the NSO Group, reportedly made up of former cyber sleuths from Unit 8200—Israel’s electronic intelligence service. NSO sells a software called Pegasus, an electronic intercept software used by governments.

The cyber attack was likely the work of the Emirates’ government that in the past targeted the dissident for harassment. NSO executives aren’t talking.

The three-step iPhone hack was set up to cause a targeted victim to click on a fake website that would then use an application capable of downloading sensitive information from the phone’s memory. A third feature was the ability of the hackers to manipulate the hacked iPhone as if it were the owner’s device, or to disrupt its operations by corrupting the memory.

"Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements," Citizen Lab said.

Apple, which posted a third-quarter revenue of $42.4 billion, had little to say about the cyber attack. A company spokesman said the vulnerability was patched immediately after the company was alerted. "We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits," the spokesman said.

Apple iPhone software remains secure from cyber attacks based on the company’s focus on tightly controlling the software and hardware for both security and commercial reasons.

For at least a decade now it used to be that if you were concerned about nefarious cyber bad guys—whether Chinese or Russian hackers or thieves and criminals secretly breaking into your phone, iPhones were the most secure. Statistics show that by comparison, the Apple operating system is far less vulnerable to cyber attack than other systems such as Android.

A Nokia security report shows that of the top 20 malware threats to smartphones, 19 affect Google’s Android devices. Only one spyware afflicted iPhones. But it was the first time in years that any malware targeting Apple devices had made it to the top 20 threats, an indication of the trends.

"The modern smartphone presents the perfect platform for corporate and personal espionage, information theft, denial of service attacks on businesses and governments, and banking and advertising scams," the Nokia warns. "It can be used simply as a tool to photograph, film, record audio, scan networks and immediately transmit results to a safe site for analysis."

As smartphones become more and more sophisticated, they are also becoming more and more ubiquitous.

Look at any busy street today and it is clear that smartphones are dominating our attention. People are on their handheld devices for phone calls, texts, buying things, transportation, navigation, and a host of other personal activities.

Reliance on handhelds will only increase as more and more of the elements surrounding us are computerized, such as cars, kitchens, houses and workplaces. The Apple hack and the discovery of three zero day flaws is a sign that electronic security needs to be increased across the board. Good device security is imperative and important to maintaining privacy and ultimately personal freedom.

The Cyber Threat column will be co-published on Flash//CRITIC Cyber Threat News