Apple has issued an urgent update to its iOS mobile operating system following the revelation that three security flaws in the system could allow potential hackers to take control of an Apple device using a zero-day exploit.
The revelation that iPhone users aren’t as safe as thought came via researchers from Citizen Lab (Munk School of Global Affairs, University of Toronto) and security firm Lookout, Inc. who revealed that an iOS exploit code called Trident was being sold as part of the Pegasus spyware package offered by the NSO Group, an Israel-based “cyber war” company reportedly owned by American venture capital firm Francisco Partners Management.
According to the report, the discovery was made after human rights defender Ahmed Mansoor received an SMS text message on his iPhone promising “new secrets” about torture in jails in the United Arab Emirates (UAE) if he clicked on an included link; instead of clicking on the link Mansoor instead forwarded it to Citizen Lab for analysis.
What was then discovered led to the finding of the vulnerabilities in iOS:
The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.
The three vulnerabilities discovered were:
- CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution
- CVE-2016-4655: An application may be able to disclose kernel memory
- CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges
Once discovered Apple was informed of the issue.
Strangely Apple did not implicitly discuss the vulnerabilities, stating on a support page that “for our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” but then detailed the updates in iOS 9.3.5 as addressing each of the vulnerabilities highlighted by Citizen Lab and Lookout.
While the chances of being targeted by hacking software that takes advantage of these vulnerabilities are slim, given that it is currently only being sold by a specialist firm and is not known to be in the wild, the publication of the vulnerabilities is likely to see others try to take advantage of unpatched devices.
Suffice as to say if you own an Apple device of any sort it’s highly recommended that you install the latest iOS update as soon as possible.
Image credit: defenceimages/Flickr/CC by 2.0