It was recently discovered that a security flaw dubbed “Trident” in the iPhone’s iOS operating system could let hackers breach the security measures and have full access to the phone, including camera and communications (microphone, data…).
Apple has issued a software update that closes this vulnerability. If you want to protect yourself, update your iOS device immediately, because the flaw could be exploited by simply clicking on an SMS link which then installs a spyware called “Pegasus”.
The vulnerability was discovered by researchers at Citizen Lab at the University of Toronto after a Human Rights activist called Ahmed Mansoor became suspicious of an incoming SMS, which he forwarded to the research team. The discovery of this vulnerability was even more shocking because SMS links are an easy attack vector and thought to be well covered by existing security measures.
The attack has to go through security vulnerabilities in the browser (which uses the Webkit library) since it is the one opening the link. Then it exploits another vulnerability in the core OS code to install itself and gain “root” access – or unfettered access to the handset. This kind of multi-level cascade exploit of vulnerabilities requires a lot of skills to pull off.
With this specific attack, any iPhone breached could be turned into imaging, GPS and audio sensors for the attacking party. After analyzing the code, Citizen Lab has concluded that the hacking software was code written by NSO, a company based in Israel and specialized in hacking software which is sold to governments in a highly regulated fashion according to the company, which denies any link to this attack.
If you are curious and want to read every technical detail, check the full report from Citizen Lab.