Apple released an update to iOS 9 on Thursday—iOS 9.3.5—that patches multiple critical zero-day vulnerabilities that have been shown to already have been deployed, allegedly by governments to target activists and dissidents, according to a report from Citizen Lab and Lookout Security. Apple turned around an update within 10 days from when the company received Citizen Lab’s initial report. The update is recommended immediately for all iOS 9 devices.
When used together, the exploits allow someone to hijack an iOS device and control or monitor it remotely. Hijackers would have access to the device’s camera and microphone, and could capture audio calls even in otherwise end-to-end secured apps like WhatsApp. They could also grab stored images, tracking movements, and retrieve files.
Some of the exploits may have been discovered months ago or longer, so there’s no way to know how widely they’re in use, but details suggest these active exploits in previous versions of iOS 9 weren’t in wide use and were deployed against individual targets.
“What we have seen from looking at these exploits is that it seems that they have been in the wild a bit longer than the 9.3.3/9.3.4 timeframe,” report co-author Bill Marczak of Citizen Lab said in an interview. iOS 9.3.3 was released on July 18.
An Apple spokesperson said, “We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits.”
Jailbreaks have been demonstrated but not yet released for iOS 9.3.4, and it’s possible those jailbreaks relied on one or more aspects of the three flaws now patched.
Zero-day exploits in iOS aren’t uncommon, based on efforts by jailbreakers, security researchers, and companies that sell flaws to governments (some of them selling to anyone who pays) at prices that can hit $500,000 to $1 million. However, this appears to be the first time the action of major active exploits was captured in the wild and thoroughly documented. Marczak said his organization had been tracking the infrastructure behind the exploit for some time before an activist forwarded phishing links, which matched against a domain Citizen Lab had already been following.
The odds of any combination of these exploits being used to hit iOS users broadly are very low, as any widely-exploited bugs would have been observed by researchers and Apple. It’s most likely the flaws were kept close to the vest by any parties who discovered them, and were deployed for use only with high-value subjects of government or criminal syndicate interest.
As Lookout Security noted, “The going price for Pegasus [a mobile espionage product] was roughly $8 million for 300 licenses, so it’s not likely to be used against an average mobile device user, only targets that can be considered of high value.”
Sign up for CIO Asia eNewsletters.