iPhone is marketed by Apple as one of the most secure smartphones. But recent reports of sophisticated spyware using zero-click exploits to take control of victims’ iPhones have put that claim doubtful.
A new report by MIT Technology Review states that in 2016, UAE spies acquired malicious iPhone hacking tools from a U.S. firm for $1.3 million. A group of American mercenary hackers created spyware that exploited a security vulnerability in iPhone’s iMessage app to gain access to a victims’ device. And the malicious tool was used for surveillance of hundreds of targets and espionage. The list of victims included geopolitical rivals, dissidents, and human rights activists.
An iMessage security flaw allowed American mercenaries to develop and sell an iPhone exploit to Abu Dhabi
As per the report, the US. Justice Department has filed documents related to the illegal sale between a U.S. firm and Emiratis. Although the documents do not mention the name of the company, sources claim that the American company Accuvant used iMessage flaw to develop and sell the spyware.
The iMessage exploit was the primary weapon in an Emirati program called Karma, which was run by DarkMatter, an organization that posed as a private company but in fact acted as a de facto spy agency for the UAE.
Reuters reported the existence of Karma and the iMessage exploit in 2019. But on Tuesday, the US fined three former US intelligence and military personnel $1.68 million for their unlicensed work as mercenary hackers in the UAE. That activity included buying Accuvant’s tool and then directing UAE-funded hacking campaigns.
The hacking tool is similar to NSO spyware Pegasus which also uses a zero-click exploit, presumably an iMessage flaw to hack the latest iPhone models. In December 2020, it was reported that Pegasus used an iMessage flaw in iOS 13.5.1 to hack Al Jazeera journalists’ iPhones. The attacks originated by Saudia Arabia and UAE were considered an act of espionage against Qatar-based Al Jazeera. Recent investigations on Pegasus revealed that over 50,000 journalists were among other victims of spyware. It is also linked to the murder of Saudi journalist Jamal Khashoggi.
Therefore, MIT Technology Review says that this “news of the sale sheds new light on the exploit industry as well as the role played by American companies and mercenaries in the proliferation of powerful hacking capabilities around the world.” Although Apple defended iPhone’s security by stating that;
Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market.
Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
This week, the company released iOS 14.8 and iPadOS 14.8 for iPhone, iPad, and iPod touch which features security fixes and Apple recommends that all users update immediately. The update fixed an issue with Apple Watch not unlocking iPhone models with Touch ID and also patched the vulnerability exploited by NSO’s spyware Pegasus. Even with regular security fixes, cybersecurity experts say that Apple needs to do more to ensure the safety of its customers.
“Apple is trying, but the problem is they aren’t trying as hard as their reputation would imply,” says Johns Hopkins University cryptographer Matthew Green.
