Three undiscovered iOS vulnerabilities leave iPhone users scampering to update their devices.
What do mobile software companies, hackers, and spy agencies have in common? They look for vulnerabilities in mobile operating systems.
Granted, their reasons are different. Companies like Apple want to find bugs so they can make their products secure, hackers want to find bugs so they can sell them to the highest bidder, and agencies like the FBI want to find bugs so they can retrieve information and evidence.
This weekend, iPhone, iPad and iPod Touch users around the world were updating iOS after serious spyware related to three unknown vulnerabilities was discovered. If for some reason you did not hear the news, then stop what you're doing now and immediately update your device.
To update, go to Settings > General > Software update. That should update you to iOS 9.3.5.
You can read the details of how three vulnerabilities were discovered on various websites, but the main points are:
- Ahmed Mansoor, a human rights activist in the UAE with a history of spyware attacks because of his work, received suspicious text messages with links on his iPhone. The messages used social engineering tactics; stating that the sender had information on torture victims, designed to lure Mansoor into clicking.
- Mansoor did not click the links, but reported the messages to Citizen Lab at the University of Toronto, who recognized the links as belonging to an exploit infrastructure provided by an Israeli cyber-war company called NSO group.
- The investigation found a chain of zero-day exploits that could circumvent iPhone security measures to remotely jailbreak the phone and install spyware. The chain was dubbed Trident.
- Together with researchers from Lookout, Citizen Lab disclosed their findings to Apple: if executed, the Trident exploit chain was capable of taking full control of Mansoor's iPhone and eavesdropping using its camera and microphone, recording calls by phone, WhatsApp and Viber, logging messages sent in mobile chat apps like Skype or Facebook, and tracking Mansoor's movements.
Apple responded quickly and released the iOS 9.3.5 patch to block the Trident exploit chain.
How to protect yourself from spyware
iPhone users, you will have to depend on Apple to keep you safe. Admittedly, they have had a very good track record, but they are not flawless – chinks are appearing in the armor.
Do not click on unknown links. Whether a link comes to you in an SMS message as in this incident, or it's a phishing attack via your email, or a strange popup when visiting a website, avoid clicking any link that you don't know is safe.
Keep the operating system and software up-to-date. The most effective way to protect your devices from spyware, viruses, and any other sort of malware is to always make sure everything is patched and updated. But in Mansoor’s case, having an up-to-date iOS wasn't enough, because this was an unknown, or so-called zero-day, vulnerability. Thankfully, once Apple was aware of Trident, they were extremely quick to issue a patch. Because their ecosystem is very controlled, the patch was available immediately to all who needed it.
Will other bugs be found?
“For sure there are other vulnerabilities we don't know about yet,” said Avast mobile security researcher Filip Chytrý. “Apple has a more closed ecosystem, so for them it is easier to maintain any urgent update, but when a bug is discovered on Android, the issue might end up unresolved on many devices.”
In other words, the open ecosystem of Android devices means that critical software updates are slow to be pushed out leaving users exposed to malware or hackers. You can add security software like Avast Mobile Security to help protect your device.