How a US company allegedly sold iPhone hacking tools to a regime

When the United Arab Emirates paid over $ 1.3 million for a powerful secret iPhone hacking tool in 2016, the monarchy’s spies – and the American mercenary force they hired – immediately started using it.

The tool exploited a vulnerability in Apple’s iMessage app and allowed the hackers to completely take over a victim’s iPhone. It is said to have been used in a large-scale surveillance and espionage campaign against hundreds of victims, including geopolitical rivals, dissidents and human rights activists.

In on Tuesday last week indictment documents presented by the US Department of Justice details how the sale was carried out by a group of privately owned military personnel working for Abu Dhabi without Washington’s political permission. However, the documents do not reveal who sold the powerful iPhone hack function to the Emiratis.

iMessage exploit was the main weapon

However, two sources familiar with the matter have confirmed to MIT Technology Review that the vulnerability was developed and sold by an American company called Accuvant. The company merged with another security firm a few years ago, and what was left is now part of a larger company called Optiv. The news of the sale sheds new light on the exploit industry – as well as the role American corporations and mercenaries play in spreading powerful hacking skills around the world.

Optiv spokesman Jeremy Jones wrote in an email that his company “is fully cooperating with the Justice Department” and that Optiv is “not the subject of this investigation”. That’s right: the subject of the investigation are three former employees of the US secret service or the military who are said to have worked illegally with the UAE. However, Accuvant’s role as developer and seller of the exploit was important enough to be detailed in the Justice Department’s court records.

The iMessage exploit was the main weapon in an Emirati Program called “Karma”, which was operated by DarkMatter, an organization that purported to be a private company but in reality acted as the de facto spy agency for the UAE.

Gap known for years

The existence of Karma and the iMessage vulnerability has been known since 2019. On Tuesday last week, the US fined three former US intelligence and military officials $ 1.68 million for their unauthorized work as mercenary hackers in the UAE. This activity included acquiring the Accuvant tools and running Emirates-funded hacking campaigns.

More from MIT Technology Review

The US court documents state that the exploits were developed and sold by American companies, but the names of the hacking companies were not disclosed. The role of Accuvant has not yet been reported.

“The FBI will fully investigate individuals and companies who benefit from illegal criminal cyber activities,” said Bryan Vorndran, assistant director of the FBI’s cyber division, in a statement. “This is a clear message to everyone, including former US government employees, who have considered using the Internet to exploit information under export control for the benefit of a foreign government or business corporation. You risk something and what you do will have consequences. “

Successful developer of exploits

Although the UAE is considered a close ally of the United States, according to court documents and informants, DarkMatter has been linked to cyberattacks against a number of American targets, such as Whisleblowers gave away. With the help of US partners, the expertise and money acquired there, DarkMatter built the offensive hacking capabilities of the UAE over several years from almost zero to an impressive and very active secret service organization. The group spent a lot of money hiring American and Western hackers to develop and sometimes direct the country’s cyber operations.

At the time of its sale to Optiv, Accuvant was a Denver, Colorado-based research and development laboratory specializing in and offering iOS exploits. A decade ago, Accuvant made a name for itself as a prolific discoverer of previously unknown vulnerabilities, working with major American military companies and selling software bugs to government customers. In an industry that normally maintains a tough code of silence, the company occasionally attracted public attention.

“Accuvant represents a kind of positive side of cyberwar: a booming market,” wrote journalist David Kushner in a 2013 report on the company im Rolling Stone. They are the kind of companies “that are able to develop tailor-made software that can break into third-party systems and collect information – or even shut down a server for which they can receive up to $ 1 million”.

Critical iMessage vulnerabilities

Optiv has largely pulled out of the hacking industry after a series of mergers and acquisitions, but Accuvant’s alumni network is strong and still working on exploits. Two senior employees co-founded Grayshift, an iPhone hacking company known for its hardware that is used by US law enforcement agencies to unlock protected devices. Accuvant was selling hacking exploits to several government and private sector customers, including the United States and its allies – and the same iMessage exploit in question was being sold to several other customers at the same time, MIT Technology Review learned.

The iMessage vulnerability is one of several critical vulnerabilities in the messaging app that have been discovered and exploited in recent years. With an update to the iPhone operating system in 2020, iMessage’s security was completely redesigned to reduce its vulnerability. The new security feature called BlastDoor isolates the app from the rest of the iPhone and makes it harder to access the iMessage memory – the main way an attacker could take over a target’s phone.

iMessage is a popular target for hackers for good reason. The app is included by default on every Apple device. It accepts incoming messages from anyone who knows the user’s number or Apple ID. There’s no way to uninstall them, no way to easily check for security, nothing a user can do to protect themselves against this type of threat – other than getting any Apple security update as soon as possible possible to download. BlastDoor made iMessage difficult to exploit, but hackers are still finding gateways. Just recently, Apple released an update that fixes another loophole in iMessage, which was used by the Israeli company NSO Group for their spyware Pegasus. BlastDoor was thus elegantly bypassed. Apple declined to comment.