When Governments Hack Their Way Into Your iPhone

The NSO case reveals the dangers of the cyberwarfare trade, and how easily governments can use it against their own citizens.

An iPhone in front of NSO Group's headquarters in Herzliya, Israel, August 28, 2016.
Jack Guez, AFP

Hacking technology devices have long been a hot commodity, with a supply-demand market just like any other. The supply side has hackers or firms always looking for ways to break into new technology products like browsers, smartphones and cellular-operating systems, specific software components or security holes in hardware like household routers or an organizational payroll server.

The demand side has those who buy and exploit these hacks, mostly but not only governmental espionage and policing organizations. There is legal trade between authorized companies and governments, and illegal trade between hackers and anonymous members of the dark web. This network is a series of forums permitting entry only to those with a password.

It may sound amorphous, but it’s certainly not a kids’ game. Western governments treat it like weaponry. Developed nations define companies selling offensive software in cyberspace as arms companies, requiring the same supervision as other security firms. The NSO Group — the firm behind the hack uncovered in North America last week — is also supervised by the Israeli Defense Ministry’s branch that supervises arms exports.

Other Israeli firms also sell devices for hacking, monitoring, spying, intelligence, bugging, etc. Nice is probably among them.

Why is this hack not like the others?

Let’s start with the platform. The iPhone’s weaknesses are the most expensive commodity in the world of cybersecurity. The iOS platform is considered especially secure, and many people dealing in sensitive issues — from finance and human rights to investigative journalism — choose the iPhone for this reason. The recent hack signals that iPhone users now also have cause for concern.

Then there’s the company. NSO is a very mysterious firm. While many know it as a company selling cybersecurity arms, and that it focuses on smartphone weaknesses, this is the first time its work methods have been revealed. It turns out the company used a pretty basic method of phishing to exploit the iPhone’s vulnerability.

How did it work? The company sent text messages tempting the user to click on a link — in this case, information on torture in the United Arab Emirates. Clicking the link installs malware, allowing almost perfect monitoring of the iPhone. What is exceptional is the power of the hacking tool itself.

A security hole in the software which the vendor is unaware of is called a “zero-day vulnerability.” It’s the most lucrative vulnerability, making a zero day in an iPhone the hackers’ Holy Grail. A single iPhone security hole can be sold for $1 million. However, the hole just found, “Trident,” makes use of zero day in not one but three security holes. That’s very rare. In comparison, the Stuxnet worm, written by the Israeli and U.S. governments to damage the Iranian nuclear program, relied on four zero-day vulnerabilities.

Apple’s discovery and damming of the security holes is obviously bad news for NSO. But it’s part of the world of information security. Security holes are closed, antiviruses updated and hackers find new ways to break it. It is check without the mate.

Third, beyond the attention, Trident arouses an ethical question. Is there enough supervision of hacking companies, and are we comfortable with weapons from the West sometimes ending up in the wrong hands? In this case, it was revealed how dangerous the trade in cyberattacks has become and how easily oppressive regimes can wield such weapons against their citizens to weaken democracies and human rights.

According to the exposé, revealed by University of Toronto’s Citizen Lab and information security company Lookout last week, the target in this case was human-rights activist Ahmed Mansoor. The same method was used against Mexican investigative journalist Rafael Cabrera and Kenyan Senator Moses Wetangula.

These targets raise serious second thoughts. Is this what we wanted? Does Israel know where its weapons are going, and what they are being used for? Is the supervision division shutting its eyes, screwing up or simply being apathetic as long as the money flows in?

Ironically, most of us, regular users, actually benefit indirectly from this cybergame of chess. The hacking that was just discovered forced Apple to issue an urgent update, and anyone who installs it will enjoy a safer iPhone than before. Do it today — or, even better, an hour ago.