Nonetheless, it’s critical to install the update now that the exploits have been documented, as attackers may attempt to weaponize this approach for out-of-date devices. However, Marczak noted, “It was a fairly sophisticated exploit and we did omit some details about which functions were vulnerable,” so criminal organizations may not be able to take advantage before most iOS users have updated.
Users should also avoid—now and forever! —clicking on links in SMS messages from unknown parties. Because SMS messages can be spoofed, it may be dangerous even from known parties.
How the exploits work
Citizen Lab is a project at the University of Toronto’s Munk School of Global Affairs, where researchers have looked into how power is exercised in digital realms, specializing in human rights and global security. The Citizen Lab report was conducted in collaboration with Lookout Security, and it builds on previous work the group did to chart the extent of a group it labeled Stealth Falcon—which targeted internal and external critics of the United Arab Emirates (UAE) government. While Citizen Lab had identified Stealth Falcon’s infrastructure, it hadn’t connected active malware with it.
On August 10, prominent UAE human-rights activist Ahmed Mansoor received dubious SMS messages with links to click for information ostensibly about abuses. Mansoor has been jailed, is banned from traveling outside the UAE, and is the victim of two previous so-called “lawful intercept” efforts. Lawful intercept refers to a government using the force of local law to obtain information from a network, although the methods used may not always fit within statutory or constitutional protections in the country in which they occur.
Rightly dubious, Masoor forwarded the messages to Citizen Lab, which then partnered with Lookout Security to test the malware, and identify three separate zero-day exploits—flaws that can be exploited in currently released software. Here’s how the chain of exploits work:
- The executed binary uses an exploit that allows it to bypass a protection Apple uses within the operating system—Kernel Address Space Layout Randomization (or KASLR)—which should prevent malicious software from identifying where the core of the operating system is found running in memory.
- With the knowledge of where in memory the kernel can be found, a third exploit triggers, which corrupts memory in the kernel to disable iOS from blocking software from running that hasn’t been signed by Apple. This effectively jailbreaks the phone.
Researchers found that after these exploits were triggered in sequence, the executed binary then downloads and runs the spyware payload, which is designed to be persistent across rebooting iOS. It disables Apple’s automatic updates and removes other jailbreaks.
Sign up for CIO Asia eNewsletters.