Update: Apple has documented the security fix here.
Now that the just-released iOS 9.3.5 security update is now available, details about what exactly it fixes have been green lighted for release as well. Both Vice and NYT have detailed accounts of the very serious security issue that iOS 9.3.5 fixes…
The New York Times describes the exploit as one believed to be found an effort “to spy on dissidents and journalists.”
Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target’s mobile phone, was responsible for the intrusions. The NSO Group’s software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user.
In response, Apple on Wednesday released a patched version of its mobile software, iOS 9.3.5. Users can get the patch through a normal software update.
The report notes that the exploit was fixed 10 days after first being discovered, an an Apple spokesperson added that all customers should update to the new software version.
Vice has a more eery account of how the exploit came to light:
On the morning of August 10, Ahmed Mansoor, a 46-year-old human rights activist from the United Arab Emirates, received a strange text message from a number he did not recognize on his iPhone.
“New secrets about torture of Emiratis in state prisons,” read the tantalizing message, which came accompanied by a link.
Mansoor, who had already been the victim of government hackers using commercial spyware products from FinFisher and Hacking Team, was suspicious and didn’t click on the link. Instead, he sent the message to Bill Marczak, a researcher at Citizen Lab, a digital rights watchdog at the University of Toronto’s Munk School of Global Affairs.
And here’s more detail on the surveillance company behind the exploit:
Since its founding in 2010, NSO has developed a reputation for providing sophisticated malware to governments that need to target cellphones in their investigations, although the use of its tools has never been documented before. The company claims that its products are completely stealthy, like a “ghost.” The company has been so guarded about its wares that it’s never had a website, and has rarely given interviews or any comments to the press. But some information has leaked out, including a sale for $120 million to a US-based venture capital firm in 2014 and a subsequent reported valuation of $1 billion.
NOS’s malware, which the company codenamed Pegasus, is designed to quietly infect an iPhone and be able to steal and intercept all data inside of it, as well as any communication going through it.
Also of concern is that the exploit is believed to date back to iOS 7:
Moreover, the malware is programmed with settings that go all the way back to iOS 7, which indicates that NSO has likely been able to hack iPhone devices since the iPhone 5.
The 2010 iPhone 4 stopped receiving updates after iOS 7.1.2 and cannot update to the fix (so be aware). Apple’s iOS distribution data also says that 10% of active users are running iOS 8, although iOS 9 is compatible with any iOS 8 device and users can update.
The full Vice piece is especially worth a read, and all readers should advise family and friends to take the iOS 9.3.5 seriously if privacy is a concern. The latest iOS 10 beta already includes the fix.