The Trident Exploit ⇥ citizenlab.org

There’s is one hell of a scary set of exploits that are capable of targeting deep capabilities within iOS devices. Before you read any further, be sure to update to iOS 9.3.5 if you haven’t already.

Bill Marczak and John Scott-Railton of the Citizen Lab:

Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a “Nobel Prize for human rights”). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.

The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.

Lorenzo Franceschi-Bicchierai of Vice interviewed the researchers who disclosed this series of vulnerabilities:

“We realized that we were looking at something that no one had ever seen in the wild before. Literally a click on a link to jailbreak an iPhone in one step,” [Lookout VP Mike Murray] told Motherboard. “One of the most sophisticated pieces of cyberespionage software we’ve ever seen.”

The people targeted by this spyware are largely activists and journalists for civil rights in Mexico and the United Arab Emirates, as well as users in Kenya. The spyware users are suspected to be government officials or intelligence agencies.

According to leaked NSO slides, this exploit is able to steal information from text messages, documents, photos, and lots more. As iOS 9 encrypts individual files and the system as a whole, I’d be interested to know how it’s able to access this data in a (presumably) usable-by-others manner. The researchers say it’s able to get FaceTime calls; what about iMessages?

Once the dust settles on this, I hope a report is published with the full scope of Trident’s abilities and the precise ways in which it exploits the JavaScriptCore engine.