FOR IMMEDIATE RELEASE
Toronto, Canada (25 August 2016) — On August 10th, Citizen Lab researchers Bill Marczak and John Scott-Railton, with the collaboration of Lookout Security, discovered an attack using Zero Day exploits against Apple’s iOS operating system. The attack targeted noted UAE-based human rights defender Ahmed Mansoor. Citizen Lab shared the preliminary findings with Lookout Security for verification and further analysis and undertook an immediate responsible disclosure of the zero days to Apple Inc.
The report “The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender” is being published today in conjunction with Apple’s release of iOS 9.3.5, which patches the vulnerabilities. Lookout is also publishing a technical analysis.
|All iPhone owners should update to the latest version of iOS immediately. If you’re unsure what version you’re running, you can check Setting > General > About > Version.|
Ahmed Mansoor is an internationally recognized human rights defender, and a 2015 laureate of the Martin Ennals Award (sometimes referred to as a “Nobel prize for human rights”), based in the United Arab Emirates (UAE). On August 10th and 11th, he received SMS text messages on his iPhone promising “secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers Marczak and Scott-Railton who recognized the links as belonging to NSO Group, an Israel-based “cyber war” company that sells government-exclusive “lawful intercept” spyware. NSO Group is owned by an American venture capital firm, Francisco Partners Management.
The ensuing investigation, a collaboration between researchers from Citizen Lab and Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”), which we are calling the Trident, that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.
“We had been tracking what appeared to be NSO’s infrastructure for several months, but had not seen any spyware that talked to it until Mansoor forwarded us the links he received,” said Bill Marczak, Senior Researcher at the Citizen Lab, adding “activists like Mansoor are the ‘canary in the coal mine’ for targeted digital attacks — the advanced threats they face today will face us all tomorrow.”
Once the researchers confirmed the presence of what appeared to be iPhone zero-days, they quickly initiated a responsible disclosure process by notifying Apple and sharing their findings. Apple responded promptly releasing the iOS 9.3.5 patch, which closes the vulnerabilities that NSO appears to have been supplying to remotely hack iPhones.
“We have never worked with someone who has been targeted with so much expensive commercial spyware. First Finfisher in 2011, then Hacking Team in 2012, and now NSO Group. Mansoor is a million dollar dissident.” – John Scott-Railton, Senior Researcher, Citizen Lab
The cost of a chain of zero day exploits, the use of NSO Group’s government-exclusive exploit infrastructure, and prior known targeting of Mansoor by the UAE government provides strong circumstantial evidence that the UAE government is once again likely responsible for this attack. Remarkably, this case marks the third commercial spyware suite employed in attempts to compromise Mansoor. In 2011, he was targeted with FinFisher’s FinSpy spyware, and in 2012 he was targeted with Hacking Team’s Remote Control System. Both Hacking Team and FinFisher have been the subject of several years’ of revelations highlighting the use of these tools to target civil society groups, journalists, and human rights workers. The attack the Citizen Lab researchers describe in their report may be the most expensive effort yet to compromise Mansoor.
Troublingly, all three of the companies whose spyware was used to target Mansoor are owned and/or operated by companies based in countries with democratic systems of governance: The United States and Israel (NSO Group), Germany and the UK (Gamma Group’s FinFisher) and Italy (Hacking Team).
“That a country would expend millions of dollars, and contract with one of the world’s most sophisticated cyber warfare units, to get inside the device of a single human rights defender is a shocking illustration of the serious nature of the problems affecting civil society in cyberspace. This report should serve as a wake-up call that the silent epidemic of targeted digital attacks against civil society is a very real crisis of democracy and human rights.” –Ron Deibert, Director of the Citizen Lab and Professor of Political Science at the University of Toronto’s Munk School of Global Affairs
For media inquiries, contact:
Public Affairs & Engagement
Munk School of Global Affairs
University of Toronto
Guide on Citing in Media
Title: The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender
Authors: Bill Marczak and John Scott-Railton
Senior Researchers at Citizen Lab, Munk School of Global Affairs, University of Toronto
Publication Date: 25 August 2016
Report URL: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/