iPhone Zero-Day Used by UAE Government

Last week, Apple issued a critical security patch for the iPhone: iOS 9.3.5. The incredible story is that this patch is the result of investigative work by Citizen Lab, which uncovered a zero-day exploit being used by the UAE government against a human rights defender. The UAE spyware was provided by the Israeli cyberweapons arms manufacturer NSO Group.

This is a big deal. iOS vulnerabilities are expensive, and can sell for over $1M. That we can find one used in the wild and patch it, rendering it valueless, is a major win and puts a huge dent in the vulnerabilities market. The more we can do this, the less valuable these zero-days will be to both criminals and governments—and to criminal governments.

Citizen Lab blog post and report. New York Times article. More news articles.

Tags: , , , , , , , ,

Posted on August 29, 2016 at 1:21 PM49 Comments

Comments

Lee August 29, 2016 2:12 PM

That we can find one used in the wild and patch it, rendering it valueless, is a major win and puts a huge dent in the vulnerabilities market. The more we can do this, the less valuable these zero-days will be to both criminals and governments — and to criminal governments.

I disagree. Surely the more vulnerabilities we detect the greater the value of the non-discovered vulnerabilities?

If anything it makes the market more aggressive and companies like NSO will offer a higher reward than the manufacturer. Some hackers, actuated by economic motivation or otherwise, will sell to the highest bidder instead of making the disclosure directly to the manufacturer.

In turn, whilst there will be fewer vulnerabilities (which is a good thing), companies will go to great lengths to keep their newly purchased spoils secret. This particular triad of vulnerabilities existed since iOS 7 – nearly 3 years ago!

Josh August 29, 2016 2:20 PM

A country that does not recognize Israel was sold a zero day by an Israeli security firm to suppress activists.

Globalism at its finest.

Just An Australian August 29, 2016 2:59 PM

“criminal governments” – I presume you didn’t mean to include the US government, but right now, the question appears to be, which governments that are interested in zero-day exploits are not criminal?

Ulrich Boche August 29, 2016 3:05 PM

Quate: A country that does not recognize Israel was sold a zero day by an Israeli security firm to suppress activists.
Globalism at its finest.

What kind of ethic standard would you expect from Benjamin Netanjahu?

Bardi August 29, 2016 3:38 PM

“What kind of ethic standard would you expect from Benjamin Netanyahu?”

I don’t see much difference between him and Assad, or, Saddam, for that matter.

ELI August 29, 2016 4:20 PM

@Bardi, one big difference: Assad’s Syria (with Cuba) initiated and organized the diplomacy that formally defined and protected human rights defenders. Netanyahu, by contrast, is placing restrictions on human-rights NGOs with an approach that is similar to Russia’s. So it makes sense that Israel is a world leader in stamping out the threat of human rights.

Funny how you don’t hear much about it behind the Iron Curtain in the USA.

{} August 29, 2016 4:29 PM

It would be bizarre to make a distinction between “criminal” and “non-criminal” governments.
If vulnerabilities are there, they will be abused. The temptations are too great. If the UAE government can spy on human rights workers, so can any other government or corporation.
Governments are huge organizations representing a wide array of interests. You simply cannot assume that every subgroup within such a large organization has identical goals. Or that every individual within a subgroup has identical goals. Or even that any single individual has internally consistent goals.
And you have to take group dynamics into account – no matter how intelligent, well-informed, and ethical the individuals in an organization are, the behaviour of the group as a whole tends to be less ethical and more short-sighted than the lowest common denominator.
This doesn’t mean we need to get rid of governments and corporations, but it does mean we need to be vigilant no matter how “democratic” or “free” we think we are.

John Macdonald August 29, 2016 4:29 PM

@Lee – It works both ways. Sure, the remaining 0days are more valuable – but only until they are noticed and patched. As soon as a 0day gets used in a way that gets noticed, leading to it getting patched, it becomes worth far less. All it takes is one customer being sloppy (or deliberately open) to make follow-on sales disappear. Having a significant probability of limited shelf life takes away some of the incentive to develop a 0day into a working attack product.

EvilKiru August 29, 2016 4:43 PM

I think it’s important to note that the UAE tried to use a zero-day vulnerability against a human rights defender and failed, because instead of falling for the attempted click-baiting via SMS, the intended victim forwarded the SMS messages to Citizen Lab for analysis.

Iron Joe August 29, 2016 4:49 PM

@Josh
Re: A country that does not recognize Israel was sold a zero day by an Israeli security firm to suppress activists.

“When we hang the last capitalist, he’ll sell us the rope.” — Nikita K.

Daniel August 29, 2016 5:17 PM

@Not me.

The Dear Abby of the computer security world would write exactly one column with one piece of advice…

Turn off your computer. Don’t turn it on again.

{} August 29, 2016 5:25 PM

@Josh @Iron Joe
I’d be a lot more surprised if NSO Group sold to the governments of Iran and Syria or to Hezbollah.
Sale to the government of the UAE would be consistent with Israel’s current foreign policy strategy.
An article in Forbes claims that the NSO Group has ties with Israel’s national security establishment, and that the mentality of NSO Group and similar companies is “if we can get away with doing it, then it’s legal and ethical.”
http://www.forbes.com/sites/thomasbrewster/2016/08/25/everything-we-know-about-nso-group-the-professional-spies-who-hacked-iphones-with-a-single-text/
If you scroll down on the Citizen Lab report, you can see that NSO Group tools seem to have been used in a whole rogue’s gallery of regimes. I don’t think NSO Group is very picky about who they sell to, as long as the customer is close to the top of the list of Israel’s perceived enemies.

Ergo Sum August 29, 2016 5:27 PM

@ELI..

Funny how you don’t hear much about it behind the Iron Curtain in the USA.

I guess you could say that the presstitutes in the US are in charge of operating the Virtual Iron Curtain. Albeit they are much more gentle than that, pulling wool over people’s eyes instead…

Tony H. August 29, 2016 5:33 PM

So presumably the makers of this malware and its deployment infrastructure are going to get rapidly better at precise targeting. Citizen Lab evidently used a different phone model with certainly a different serial number, and by the sound of things used it from a network in Canada rather than in the UAE (unless they are carefully avoiding making public a lot of detail). Yet the malware serving site and subsequent chain nonetheless deployed the valuable zero-days on it, and thus allowed CL and their partners to analyze them.

They’re also going to learn a bunch about reusing old domains and IP addresses, I would think.

Lee August 29, 2016 5:46 PM

@John Macdonald

As soon as a 0day gets used in a way that gets noticed, leading to it getting patched, it becomes worth far less. All it takes is one customer being sloppy (or deliberately open) to make follow-on sales disappear. Having a significant probability of limited shelf life takes away some of the incentive to develop a 0day into a working attack product.

Once discovered I accept it’ll become worth less and then totally worthless once patched (or, IF patched when talking about Android) to the actor deploying the vulnerability.

Sometimes the vulnerabilities aren’t actually sold to an end-user. Hacking Group had some products which they controlled and fed the intercepted data (of the target) to their customer. Any sloppiness would be their responsibility.

The point I was making however is that the vulnerabilities tend to be discovered by individual hackers/researchers and not the companies who ultimately purchase them. To the self-employed hacker he isn’t bothered about the shelf life – he gets payment upon disclosure.

If anything having a short shelf life encourages other hackers to actively seek new vulnerabilities (or even those already known, albeit only known to select companies) because they get paid per discovery subject to NDA.

The small recompense paid by Apple doesn’t encourage hackers to approach them directly.

I’m pleased if took Apple only 10 days to fix the issue but the problem exists in far greater scale against the 84% of non-Apple devices which rarely/if ever receive updates.

Mike Amling August 29, 2016 6:27 PM

From Citizen Lab’s report:

The messages promised “new secrets” about…

Another object lesson illustrating why it’s not a good idea to click on clickbait.

ELI August 29, 2016 6:48 PM

@Ergo Sum, much more gentle, nyuk nyuk, Tell that to Barret Brown, or Scott Olsen, or the Occupy Houston guys with the laser dots on their heads. The neo-Soviets running the USA aspire to full-spectrum repression.

@Evilkuru, yes, and Mansoor’s social engineering was particularly entertaining, ‘Gee, I tried and tried but I just couldn’t open it…’ Good thing Mansoor went to Citizen Labs and not anonymous, or Omri Lavie would now be the new Aaron Barr.

Daniel August 29, 2016 8:24 PM

@Tony H.

The question for a middle man like the NSO becomes the degree of entanglement, whether they are selling a product or a service. It is inaccurate to think of these groups as buying the zero day and then packaging it as part of a more developed software framework. What is actually occurring is the outsourcing of spying.

There is a significant perceptual difference between a company that sells its product to everyone and a company that is working as an agent for someone else. The more targeted the attack becomes the more the veneer of corporate neutrality is stripped away. At some point in time Israel becomes complicit in UAE human rights abuses, not merely a cyber weapons dealer.

If you are having difficulty conceptualizing this difference think of this analogy. It is one thing for a company to sell a gun to a random stranger. It is another thing for the company to pick up the gun it just sold and “go, Ok…who do I shoot this time?” Right now, the NSO has at least a tincture of plausible deniability but do some of the things you suggested and a much of the plausibility in their deniability goes away.

Clive Robinson August 29, 2016 8:26 PM

@ Daniel,

Turn off your computer. Don’t turn it on again

Is but stage one, you have to go “The Full Jimmy Hoffa”[1] on it, ie bash, break, butcher, burn and bury what little is left in some foundations somewhere.

[1]@Wael, another saying to add to the list 😉

Wael August 29, 2016 10:06 PM

@Clive Robinson,

Wael, another saying to add to the list

Nice one. Will have to jot it down. Too long to commit to the primitive monkey brains’ memory 🙂

Wael August 29, 2016 10:17 PM

Too many questions in my mind: First, It’s not normal behavior for someone to report a suspicious SMS to Citizen Lab (why them, too?) The guy either had a tip, or he encountered similar situations in his past, which is not too far fetched. What was he trying to accomplish anyway? Expose some zero-day exploits? Highly unlikely.

The other question that immediately comes to mind: Why did Citizen Lab test the suspicious link on an iPhone 5, knowing that the guy used an iPhone 6, and likely the attackers knew that as well. Would be nice if someone from Citizen Lab explain that to us here — we’ll be nice… (Couldn’t afford an iPhone 6 is not an acceptable answer) 😉

There are other questions, but perhaps they’re not appropriate to ask or comment on. The story seems a little strange (my tin foil hat is running thick tonight.)

{} August 30, 2016 12:07 AM

@Wael “It’s not normal behavior for someone to report a suspicious SMS to Citizen Lab”
It is normal behavior if you already know that you’ve been under attack from FinFisher and Hacking Team, as outlined by the Citizen Lab report.
Anyone who’s well-known in pro-democracy circles or is trying to report on human rights risks attracting the wrong kind of attention. So it pays to err on the side of caution.
I can’t speak for Ahmed Mansoor but I think the answers for most of the rest of your questions are obvious.
Citizen Lab was an obvious choice, because they’re a respected academic outfit that has the capability and isn’t under direct government control. They get funding from ideologically diverse[1] sources, and are relatively nonpartisan[2], and have no commercial interest in hoarding zero days.
If you report a suspicious SMS to the police they’ll either get mad at you for wasting their time, or just laugh at you – they aren’t going to do anything about it.

“What was he trying to accomplish anyway?”
Under the circumstances, failure to do anything about the suspicious SMS would have exposed innocent people to danger.

“Expose some zero-day exploits?”
Yes. See my answer above.

“my tin foil hat is running thick tonight”
Mine is never quite thick enough.

[1] Some strange bedfellows in there, but nothing to get too paranoid about.
[2] Yes, they are Canadian. What can I say? Nobody’s perfect. 😉

Wael August 30, 2016 12:25 AM

@{},

Hmm. Makes sense! I am not familiar with the guy, and nothing against Citizen Lab. I just wondered how he knew about them. But if he’s been a target, then the rest of your answers are acceptable.

What about the iPhone 5, what’s your take on that?

Bob August 30, 2016 1:13 AM

@ Daniel wrote, “Turn off your computer. Don’t turn it on again.”

Oh Dear, you can turn it on. Just don’t do anything with it. 🙂

Mark August 30, 2016 3:15 AM

If Apple were really serious about our security and privacy, they’d be outbidding everyone else.

They can afford it.

Clive Robinson August 30, 2016 4:19 AM

@ Wael,

Too long to commit to the primitive monkey brains’ memory 🙂

You only need to remember the bit in quotes, to get the message across… And if that’s to long for your rapidly degenerating 6lb of cooling porridge, just “Do a Hoffa” will do…

Jonathan Wilson August 30, 2016 5:03 AM

If I was Apple or Google or Microsoft or Adobe or Oracle or Cisco or some other big software company, I would be using all the lobbying power at my disposal to lobby governments around the world to make it illegal to buy, sell, profit from or intentionally conceal vulnerabilities in computer software. Have nice strong penalties to deter the bad guys (maybe a few years in a suitable gulag or supermax or other nasty prison would work) and pursue the black-hats as vigorously as the FBI pursued the Silk Road drug marketplace or the MegaUpload file sharing site.

Oh and for anyone in Australia (or who can otherwise get hold of a copy) I suggest watching this weeks episode of 4 Corners, its very relavent to all this stuff.

Iron Joe August 30, 2016 7:44 AM

@Clive, @Wael

Hoffa wasn’t buried in a foundation. For those of you fond of vienna sausages, I hope one of you at least found the pinkie ring in your can. Otherwise, bon appetit.

@Daniel

If we’re outsourcing spying, does that mean we’ll soon be able to buy zero days at Walmart?

Bounty August 30, 2016 9:35 AM

The CL story is great work, and a good example of how you have to take a stand without getting crushed by the US government. Whenever there’s outrageous state overreach going on, tell a story about it being done to skinny brown-eyed foreign people, by evil foreign dictators.

When of course NSO ‘works with homeland security organizations.’ Does anybody know any homeland security organizations? I can only think of one…

And in the USA, DHS is the political police:

http://wallstreetonparade.com/2016/08/department-of-homeland-security-has-surprise-for-bernie-supporters-at-dnc-lawsuit-hearing/

Jeh Johson, Obama’s Beria, is using NSO to surveil and disrupt dissident groups and concealing it with spurious classification. It would be hard to hack out the documentation, so whistleblowers will have to come forward.

Don’t worry, they will.

Clive Robinson August 30, 2016 1:59 PM

@ Marcos Malo,

Shouldn’t the Full Hoffa be the first step?

Only if you want it to be a shocking experience 😉

r August 30, 2016 4:43 PM

@Clive, Marcus Malo, Wael

To wit, my monkey brains tell me that people disappear everyday. It’s not really all that shocking is it?

I almost (on the police fake terrorist threat thread) the other day made the point that the response used to be to prostate one’s self and one’s sins before God when faced with an untimely end, not freak out about having left the lights on at the house or other unfinished affairs.

Ah well, love it or leave it I guess.

Jason August 30, 2016 5:37 PM

Now that Citizen Lab has discovered and reported not one, but three valuable zero-days that were used to compromise the iPhone, the NSO group is most likely feeling the pinch from one of their cash cows being killed when Apple issued a security update. Unlike Android with it’s almost non-existent security, there are not an almost unlimited number of zero-days for the iPhone. I expect there will be a considerable amount of behind the scenes maneuvering taking place to attempt to defund or disband Citizen Lab.

reader August 31, 2016 7:59 AM

@Wael

they write:

Suspecting the links to be iPhone spyware associated with NSO Group (Section 6), we accessed them from our own stock factory-reset iPhone 5 running iOS 9.3.3. Mansoor’s device is an iPhone 6, running iOS 9.3.3; we did not have an iPhone 6 available for testing. Although the latest iOS version when Mansoor received the links was 9.3.4, this version had been released only one week beforehand.

Wael August 31, 2016 10:25 AM

@Reader,

they write: […] we did not have an iPhone 6 available for testing.

And I wrote: Couldn’t afford an iPhone 6 is not an acceptable answer

Lucky for Citizen Lab, the malware didn’t check for additional parameters before it infected the device. If I were them (the morons at NSO,) I would have done more checks… Maaaaaybe I would have even read the RFTM that came with the crapware they got suckered into buying 😉 LOL

If I were in Citizen Lab’s position, I would have done things a little differently. This takes nothing away from them — they have done a marvelous job.

Now I should expect a link to be sent to my Smart Device(s) or one of my 1000’s of email addresses (which I forgot the password to, by the way!)

WhiskersInMenlo September 1, 2016 3:03 PM

Was I asleep when the def. of Zero-Day exploit changed?

My old definition was that a zero day exploit was generated based on information
from a published bug fix. That information is then used to generate an exploit on the 0th day that
the patch goes live. The differences can be source patch differences or an analysis of
binary bits — perhaps disassembled.

This gives a day or so for the bad guy armed with the reverse engineered differences
obtained on day zero to attack systems that are slow to patch.

Obviously the slowest to patch are those with the biggest IT departments and most
Kafka inspired patch policy. The largest and most vulnerable may be national government
agencies like the US State Department and US NSA.

We need better language to communicate information about patches and exploits.

The exploit being used by the UAE government was not a zero-day exploit.
It was discovered initially as a nation state exploit by Citizen Lab and reported
to Apple.

There may be zero-day exploits based on the patch but the article omits
any hint of such an exploit.

A better headline might be:
“Apple patches an active nation state exploit.”

Others patch events might be:
“Apple patches an active criminal cartel exploit”.
“Apple patches an active script kiddie exploit”.
“Apple patches an anonymous bug reported exploit”.

s/Apple/$other/g

Thoughts?

PS: the fill in the blank with _____ gate has advantages when a mouse pad touch is too quick to submit.

r September 1, 2016 4:16 PM

@WhiskersInLowMem.

It’s funny you asked that question, that’s where I think one of the spots the NSA is playing weasle with our woodles: “We don’t rely on 0-Days.”

Dirk Praet September 1, 2016 6:46 PM

@ WhiskersInMenlo

My old definition was that a zero day exploit was generated based on information from a published bug fix. That information is then used to generate an exploit on the 0th day that the patch goes live.

Technically, you’re correct. The denomination 0-day nowadays mostly refers to an exploit for a hitherto unknown and unpatched vulnerability. It’s a bit like everyone calling hackers what are actually crackers. I guess we could call it an EUV (exploit for unpatched vulnerability) or an IET (improvised exploitation tool), but that doesn’t even remotely sound as cool as 0-day. So until someone comes up with something more catchy, I suppose it’s gonna stay 0-day.

@ r

… that’s where I think one of the spots the NSA is playing weasle with our woodles …

That’s actually not even that far-fetched.

Wael September 1, 2016 6:53 PM

@Dirk Praet, @WhiskersInMenlo,

IET (improvised exploitation tool)

+1

That was very clever and damn funny! I needed that, thanks 🙂

Wael September 1, 2016 6:58 PM

@WhiskersInMenlo,

You’re absolutely right.

@Dirk Praet,

You need to copyright the expression “IET”. It’s much better than “0-day” 😉

Alan September 1, 2016 8:23 PM

@ WhiskersInMenlo

“There may be zero-day exploits based on the patch but the article omits
any hint of such an exploit.”

You’re expecting too much from news articles. Sometimes words get in the way of, obfuscating, Truth. Sometimes it’s accidental, sometimes it’s deliberate. It’s like asking someone to RFTM and we all understood it.

reader September 2, 2016 2:16 AM

@Wael
I don’t want to argue,
I agree also with you (things might be done other way) , marvelous job CL,

my speculation is that they were in hurry and didn’t have 6 around,

two other citations

We visited the links Mansoor sent us from a colleague’s factory-reset stock iPhone,

Special thanks to Nicholas Weaver for supplying the iPhone that we infected…

@Dirk Praet

I vote for your EUV 🙂

Wael September 2, 2016 3:22 AM

@Reader,

I don’t want to argue,

Thant’s good. It wasn’t my intention, either.

my speculation is that they were in hurry and didn’t have 6 around

It’s a possibility. It could also be a form of disinformation – I don’t expect them to disclose their tactics. It was just puzzling to me. Time was probably the determining factor, as you say. That makes more sense.

Special thanks to Nicholas Weaver for supplying the iPhone that we infected…

I did not read the whole report. When time allows, I usually read every word. It’s not possible to read everything and every link that’s shared here. That’s why sometimes I ask questions. I have not seen those two citations, to be specific.

agent rng September 2, 2016 12:20 PM

@reader,

When I first saw EUV yesterday(?), I have to admit I concur. Maybe even UEV ‘unidentified exploitable vector’?

Patrick Star September 6, 2016 6:04 AM

The term “0 day” comes from the warez scene, where it means “pirated copy of something not released yet”. Which in exploit terms becomes “exploit for vulnerability not public yet”.

Warez BBS’s used to have policies like “0 day warez only” (the very coolest) or “30 day warez only” (not quite as cool but still not the bottom of the hierarchy).

An exploit for something just patched would be a “1 day”, though that’s rarely used because often the most important distinction is whether it’s patched or not, not how long ago.
I guess it would be more correct to call unpatched/unreleased stuff “negative day”, but it’s not up to me to decide the terminology :-).

Also, there’s a bit of a grey zone when it comes to exploits for vulnerabilities that are known but still unpatched etc.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.