How a US company allegedly sold iPhone hacking tools to a regime
When the United Arab Emirates paid over $ 1.3 million for a
powerful secret iPhone hacking tool in 2016, the monarchy’s spies – and the
American mercenary force they hired – immediately started using it.
The tool exploited a vulnerability in Apple’s iMessage app
and allowed the hackers to completely take over a victim’s iPhone. It is said
to have been used in a large-scale surveillance and espionage campaign against
hundreds of victims, including geopolitical rivals, dissidents and human rights
activists.
In on Tuesday last week indictment documents presented by
the US Department of Justice details how the sale was carried out by a group of
privately owned military personnel working for Abu Dhabi without Washington’s
political permission. However, the documents do not reveal who sold the powerful
iPhone hack function to the Emiratis.
iMessage exploit was the main weapon
However, two sources familiar with the matter have confirmed
to MIT Technology Review that the vulnerability was developed and sold by an
American company called Accuvant. The company merged with another security firm
a few years ago, and what was left is now part of a larger company called
Optiv. The news of the sale sheds new light on the exploit industry – as well
as the role American corporations and mercenaries play in spreading powerful
hacking skills around the world.
Optiv spokesman Jeremy Jones wrote in an email that his
company “is fully cooperating with the Justice Department” and that Optiv is
“not the subject of this investigation”. That’s right: the subject of the
investigation are three former employees of the US secret service or the
military who are said to have worked illegally with the UAE. However,
Accuvant’s role as developer and seller of the exploit was important enough to
be detailed in the Justice Department’s court records.
The iMessage exploit was the main weapon in an Emirati
Program called “Karma”, which was operated by DarkMatter, an organization that
purported to be a private company but in reality acted as the de facto spy
agency for the UAE.
Gap known for years
The existence of Karma and the iMessage vulnerability has
been known since 2019. On Tuesday last week, the US fined three former US
intelligence and military officials $ 1.68 million for their unauthorized work
as mercenary hackers in the UAE. This activity included acquiring the Accuvant
tools and running Emirates-funded hacking campaigns.
More from MIT Technology Review
The US court documents state that the exploits were
developed and sold by American companies, but the names of the hacking
companies were not disclosed. The role of Accuvant has not yet been reported.
“The FBI will fully investigate individuals and companies
who benefit from illegal criminal cyber activities,” said Bryan Vorndran,
assistant director of the FBI’s cyber division, in a statement. “This is a
clear message to everyone, including former US government employees, who have
considered using the Internet to exploit information under export control for
the benefit of a foreign government or business corporation. You risk something
and what you do will have consequences. “
Successful developer of exploits
Although the UAE is considered a close ally of the United
States, according to court documents and informants, DarkMatter has been linked
to cyberattacks against a number of American targets, such as Whisleblowers
gave away. With the help of US partners, the expertise and money acquired
there, DarkMatter built the offensive hacking capabilities of the UAE over
several years from almost zero to an impressive and very active secret service
organization. The group spent a lot of money hiring American and Western
hackers to develop and sometimes direct the country’s cyber operations.
At the time of its sale to Optiv, Accuvant was a Denver,
Colorado-based research and development laboratory specializing in and offering
iOS exploits. A decade ago, Accuvant made a name for itself as a prolific
discoverer of previously unknown vulnerabilities, working with major American
military companies and selling software bugs to government customers. In an
industry that normally maintains a tough code of silence, the company
occasionally attracted public attention.
“Accuvant represents a kind of positive side of cyberwar: a
booming market,” wrote journalist David Kushner in a 2013 report on the company
im Rolling Stone. They are the kind of companies “that are able to develop
tailor-made software that can break into third-party systems and collect
information – or even shut down a server for which they can receive up to $ 1
million”.
Critical iMessage vulnerabilities
Optiv has largely pulled out of the hacking industry after a
series of mergers and acquisitions, but Accuvant’s alumni network is strong and
still working on exploits. Two senior employees co-founded Grayshift, an iPhone
hacking company known for its hardware that is used by US law enforcement
agencies to unlock protected devices. Accuvant was selling hacking exploits to
several government and private sector customers, including the United States
and its allies – and the same iMessage exploit in question was being sold to
several other customers at the same time, MIT Technology Review learned.
The iMessage vulnerability is one of several critical
vulnerabilities in the messaging app that have been discovered and exploited in
recent years. With an update to the iPhone operating system in 2020, iMessage’s
security was completely redesigned to reduce its vulnerability. The new
security feature called BlastDoor isolates the app from the rest of the iPhone
and makes it harder to access the iMessage memory – the main way an attacker
could take over a target’s phone.
iMessage is a popular target for hackers for good reason.
The app is included by default on every Apple device. It accepts incoming
messages from anyone who knows the user’s number or Apple ID. There’s no way to
uninstall them, no way to easily check for security, nothing a user can do to
protect themselves against this type of threat – other than getting any Apple
security update as soon as possible possible to download. BlastDoor made
iMessage difficult to exploit, but hackers are still finding gateways. Just
recently, Apple released an update that fixes another loophole in iMessage,
which was used by the Israeli company NSO Group for their spyware Pegasus.
BlastDoor was thus elegantly bypassed. Apple declined to comment.
Comments
Post a Comment