iPhone spying flaw: What you need to know about Apple's critical security update

iPhone
Apple has issued a software update to patch the flaw Credit: PA

Apple has issued a critical security update after the discovery of never-before-seen vulnerabilities that allow hackers to spy on iPhones’ emails, messages and phone calls.

The “Trident” flaw represents the biggest security scare yet for users of iOS – the operating system on iPhone, iPad and iPod Touch.

The hack is worrying not only for its power but also its simplicity: all that is required for it to work is a web link. Users are urged to update their software as soon as possible to protect themselves.

What is the Trident flaw?

Trident is actually a trio of “zero-day” iOS flaws – so-called because they were undiscovered until now – which effectively “jailbreak” an iPhone.

Using it, the spy can gain access to the device’s kernel – the core of the operating system – which has privileged access to operate the phone. This means it can turn on the camera or microphone, install surveillance software, and read the contents of emails and messaging apps, as well as calendars.

All of this can happen without the user knowing as it occurs in the phone’s underlying code.

How does it work?

For a phone to be breached, all that has to happen is for the user to click a link that opens in Safari, which activates a bespoke piece of spying software named “Pegasus”.

A user may be enticed to click a link in an email phishing scam or via SMS phishing, when the user is sent a text asking them to tap a link. These “SMiShing” techniques often see hackers masquerading as official Apple, Facebook or bank accounts.

Everything that the software can attack
Everything that the software can attack Credit: NSO

When the user clicks the link, it activates a piece of code that can take advantage of a memory vulnerability in the iOS software to run two further exploits that can locate the kernel and then access it.

How was it discovered?

Ahmed Mansoor, a human rights activist, received a strange text on his iPhone two weeks ago which read “New secrets about torture of Emiratis in state prisons” with a web link. Instead of clicking on the link, Mansoor forwarded it on to Bill Marczak, a researcher at Citizen Lab.

The text received by Mansoor
The text received by Mansoor Credit: Citizen Lab

CitizenLab and mobile security firm Lookout tested the link on a dummy iPhone to see exactly what happened, revealing the huge vulnerability that it creates.

It was passed on to Apple, which issued an iOS update on Thursday – roughly 10 days after it was alerted. If Mansoor had not thought twice about clicking the link, it may never have been discovered.

Who is responsible?

All fingers appear to point to NSO Group Technologies, an Israeli surveillance company that sells its spying software to governments.

The company, founded in 2010, has no website and maintains a low profile. However, it describes itself as a “leader in the field of cyber warfare”, and has previously claimed to be “a complete ghost”. 

NSO said: “The company sells only to authorised governmental agencies, and fully complies with strict export control laws and regulations,” and said that agreements with governments require that its technology must be used lawfully.

How do I protect myself?

iOS users should immediately update their phones to iOS 9.3.5 – the version that includes Apple’s patch.

To do this, go to Settings -> General -> Software Update, and install the latest update.

What the update screen looks like
What the update screen looks like

It’s unlikely that this is the only zero day flaw that could affect iPhones: several have been discovered over the last few months and years, and although Apple is very good at applying updates when it knows about them, many may lie undiscovered, only known by surveillance companies such as NSO.

It’s generally a bad idea to click links from suspicious text messages or emails, as this is the most common way to attack people.

 

License this content