“Digital Arms Dealers” in Spotlight
According to the Citizen Lab Website this message reads: “New secrets about torture of Emiratis in state prisons”). The sender’s phone numbers are spoofed.
Last week Apple did an unplanned update of iPads and iPhones to 9.3.5 to fix three security vulnerabilities. While this is hardly news in itself, the way these software flaws were revealed raises a lot of questions.
The security vulnerabilities, due to flaws in the IOS software, were discovered by Citizen Lab at the request of the United Arab Emirates (UAE) human rights activist Ahmed Mansoor. What happened is that Mansoor received an intriguing text message with a link (above photo). Mansoor did not recognize the number and though it contained a tempting message, he did not follow the link but instead requested that Citizen Lab analyze it.
What Citizen Lab found was alarming. They clicked on the link to see what would happen on their phones in the lab. What they found was the link took advantage of the three so called zero day vulnerabilities in IOS to infect it with “advanced” malware used to turn the phone into a spying device. The malware took over the camera and microphone. It could retrieve email, contacts, location, messages and really anything on the phone and send it to a remote server. When this malware is loaded, the phone is “owned” by the writers of the malware. Lesson: NEVER click on a link in an email or text message, whether you think you know the sender or not!
There is really only one attribution for this hack, the UAE government. They were the only ones to be even remotely threatened by Mansoor. So what of it? Don’t repressive governments around the world spy on their citizens all the time?
Well, the malware was apparently a tool sold by a private company called the NSO Group. This is an Israeli founded company but apparently owned by an American company, Francisco Partners.
I have personally had many dealings with the Israeli cybersecurity community since 2006 and can assure you that they have the talent and incentive to form such a company, and there are several other private companies doing this as well. They appear to be selling their hacking tools to foreign governments, who then use the malware to spy. What this means is that a small country does not need a large spying agency such as the NSA, it just needs money.
Obtaining and using unauthorized access of computing systems is a crime in the United States and elsewhere. As a private American citizen, you cannot legally hack into anyone’s computer anywhere in the world. But, apparently as an American you can own and profit from a company that does just that.
Posted in Cyber Security by Mark with comments disabled.