Citizen Lab researchers discover attack on iPhone belonging to UAE activist
Two University of Toronto researchers from Munk School of Global Affairs Citizen Lab have uncovered an iPhone-based attack on Ahmed Mansoor, a prominent United Arab Emirates human rights defender.
Bill Marczak and John Scott-Railton, with the collaboration of Lookout Security, discovered the attack, which used Zero Day exploits against Apple’s iOS operating system. Citizen Lab shared the preliminary findings with Lookout Security for verification and further analysis and undertook an immediate responsible disclosure of the zero days to Apple Inc.
The report, The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, is being published today in conjunction with Apple’s release of iOS 9.3.5, which patches the vulnerabilities. Lookout is also publishing a technical analysis.
Ahmed Mansoor is an internationally recognized human rights defender, and a 2015 laureate of the Martin Ennals Award (sometimes referred to as a “Nobel prize for human rights”), based in the United Arab Emirates (UAE). On August 10 and 11, he received SMS text messages on his iPhone promising “secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Marczak and Scott-Railton who recognized the links as belonging to NSO Group, an Israel-based “cyber war” company that sells government-exclusive “lawful intercept” spyware. NSO Group is owned by an American venture capital firm, Francisco Partners Management.
The ensuing investigation, a collaboration between researchers from Citizen Lab and Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”), which we are calling the Trident, that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.
“We had been tracking what appeared to be NSO’s infrastructure for several months, but had not seen any spyware that talked to it until Mansoor forwarded us the links he received,” said Marczak. “Activists like Mansoor are the ‘canary in the coal mine’ for targeted digital attacks -- the advanced threats they face today will face us all tomorrow.”
Once the researchers confirmed the presence of what appeared to be iPhone zero-days, they quickly initiated a responsible disclosure process by notifying Apple and sharing their findings. Apple responded promptly releasing the iOS 9.3.5 patch, which closes the vulnerabilities that NSO appears to have been supplying to remotely hack iPhones.
The cost of a chain of zero day exploits, the use of NSO Group's government-exclusive exploit infrastructure, and prior known targeting of Mansoor by the UAE government provides strong circumstantial evidence that the UAE government is once again likely responsible for this attack. Remarkably, this case marks the third commercial spyware suite employed in attempts to compromise Mansoor (see illustration, below). In 2011, he was targeted with FinFisher’s FinSpy spyware, and in 2012 he was targeted with Hacking Team’s Remote Control System. Both Hacking Team and FinFisher have been the subject of several years’ of revelations highlighting the use of these tools to target civil society groups, journalists, and human rights workers. The attack the Citizen Lab researchers describe in their report may be the most expensive effort yet to compromise Mansoor.
“We have never worked with someone who has been targeted with so much expensive commercial spyware. First Finfisher in 2011, then Hacking Team in 2012, and now NSO Group. Mansoor is a million dollar dissident.” said Scott-Railton.
Read an exclusive U of T News interview with Scott-Railton
Troublingly, all three of the companies whose spyware was used to target Mansoor are owned and/or operated by companies based in countries with democratic systems of governance: The United States and Israel (NSO Group), Germany and the UK (Gamma Group’s FinFisher) and Italy (Hacking Team).
“That a country would expend millions of dollars, and contract with one of the world’s most sophisticated cyber warfare units, to get inside the device of a single human rights defender is a shocking illustration of the serious nature of the problems affecting civil society in cyberspace. This report should serve as a wake-up call that the silent epidemic of targeted digital attacks against civil society is a very real crisis of democracy and human rights,” said Ron Deibert, director of the Citizen Lab and professor of political science at the Munk School of Global Affairs.