While it may seem an Israeli digital arms dealer’s attempts to exploit vulnerabilities in iPhones mostly targeted high-profile users, a Tulsa-based cyber security expert said average users should also take steps to protect themselves.
The vulnerabilities, which affect all Apple iOS devices, including iPads and iPods, were revealed after Ahmed Mansoor, a human-rights activist in the United Arab Emirates, became suspicious of a link sent to him via SMS text message, said John Hale, a cyber security expert at the University of Tulsa.
Mansoor gave the information to Citizen Lab, a University of Toronto-based interdisciplinary lab focused on information and communication technologies and security, whose researchers soon discovered that the link was malicious, said Hale, a Tandy professor of bioinformatics and computational biology at the University of Tulsa.
The researchers’ work — conducted alongside San Francisco-based mobile security company Lookout — revealed three “zero-day” exploits in the iOS, Hale said.
It appears that a secretive Israeli firm, NSO Group, is the author of the spyware, according to Citizen Lab and Lookout.
When exploited, the vulnerabilities — dubbed “zero-day” because they were previously unknown to Apple — give hackers total control of the device, Hale said.
“You can do anything you want. You can turn on the camera, steal all the information on it, track your messages, record your phone calls — do anything,” Hale said.
Apple released an iOS update Thursday to combat the vulnerabilities. Once the new operating system is installed, users should be safe from this specific attack, Hale said.
The hack uses a series of memory-corruption attacks to install unauthorized software onto the iPhone, iPad or iPod, bypassing normal security controls, Hale said.
“Maybe the good news is, to really fall for this it takes some user interaction,” Hale said.
Essentially, to become a victim of the cyber attack, one would need to click on the link.
Hale recommended two things to avoid falling prey:
• Update devices’ operating system to the most recent edition, in this case iOS 9.3.5.
• Never trust unsolicited links.
Many times people will go days, weeks or months without updating their iOS, which Hale said isn’t a good practice but is especially concerning in the wake of these attacks.
As far as clicking on links, Hale said his general philosophy is to ignore unsolicited links.
“That’ll serve you in good stead for this and for a lot of other types of attacks because a lot of times, the bad guys rely on our naivety and our willingness to trust things that are sent our way,” Hale said.
Even though the attack that led to the discovery of the vulnerabilities was directed at a high-profile user, Hale said it’s still wise for everyday users to be concerned.
“I don’t know what they do, and, frankly, I don’t think many people do,” he said.
He added that if these vulnerabilities are exposed and made publicly known, it’s only a matter of time before other groups begin using and exploiting the information.
These people could be curious hackers or criminals engaged in organized crime, Hale said.
“All it takes is one anti-heroic act of programming to craft an exploit kit and publish it far and wide,” he said.
“And then anybody that has access to the internet can download that piece of hypothetical code and point it at your phone.”