Reuters has a pretty sobering story about an intelligence unit inside the United Arab Emirates that apparently utilized an iMessage exploit to compromise targets’ iPhones without any action on the users parts:
Three former operatives said they understood Karma to rely, at least in part, on a flaw in Apple’s messaging system, iMessage. They said the flaw allowed for the implantation of malware on the phone through iMessage, even if the phone’s owner didn’t use the iMessage program, enabling the hackers to establish a connection with the device.
To initiate the compromise, Karma needed only to send the target a text message — the hack then required no action on the part of the recipient. The operatives could not determine how the vulnerability worked.
The story suggests that Apple software updates made the exploit “far less effective” after 2017, though it notably doesn’t say that security hole was completely closed.
The hack allowed access to a broad range of data on the targets’ phones, including messages, location data, and photos, and was used on diplomats, activists, and foreign leaders. The provenance of the tool was unknown, even to those using it.
(I expect this piece to elicit some comparisons to the Bloomberg server piece from last fall, but note that the Reuters piece includes at least one named former operative.)
Security services are, of course, always going to be on the cutting edge of these kinds of vulnerabilities, but coming as it does on the heels of Apple’s FaceTime bug, this is an unpleasant one-two punch for Apple’s prominent stance on data privacy.
[hat tip James Thomson]