NSO Group, Pegasus, Trident—iOS Exploits Targeting Human Rights Activist

2016-08-25

Mike Gerwitz

Citizen Lab released a report describing the attempted use of iOS 0-days on human rights activist Ahmed Mansoor by the United Arab Emirates. They named this chain of exploits Trident, and with the help of Lookout Security, were able to analyze them.

It begins with arbitrary code execution (CVE-2016-4655) by exploiting a memory corruption vulnerability in WebKit, which downloads a payload unknown to the user. That payload is able to bypass KASLR and determine the kernel memory location (CVE-2016-4656), then allowing it to exploit a memory corruption vulnerability in the kernel itself (CVE-2016-4657); this “jailbreaks” the device and is a complete compromise of the system.

This payload is Pegasus, a complex surveillance tool sold to governments, often used for espionage. In this case, Monsoor received a suspicious text message and wisely tipped off Citizen Lab rather than opening the presented link. Had he done so, he would have unknowingly downloaded this spyware that could very well have put his life in extreme danger: it has the capability to track his location; record his calls and texts; record communications through software like WhatsApp and Skype; download his contact information; grab passwords and encryption keys from his keyring; and much more.

This malware was written by NSO Group, which is so poorly known that their Wikipedia page didn’t even exist until today. The software company is based in Israel, founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio. They were purchased in 2014 by Francisco Partners, a private equity firm in the United States, for $110 million. They exist to sell exploits to governments.

Anyone familiar with security research is aware of responsible disclosure: it is a model whereby researchers who discover a vulnerability release their research publicly only after they notify the authors of the software, and a patch mitigating the vulnerability has been released. This is what Citizen Lab did—Apple fixed the vulnerability in iOS 9.3.5.1 This is not what NSO Group does: Instead, they horde their exploits2 and sell them to governments as weapons for surveillance or espionage. In this case, the United Arab Emirates (or so it seems). This is not only unethical, but to sell to a government that is known for this type of abuse is inexcusable and negligent—the people behind NSO Group are absolute scum.3 They are empowering a foreign government known for their civil and human rights abuses. I have trouble finding words.

There is much more that can be said on this topic with respect to security, civil and human rights, and various other topics. But I don’t want to distract from the topic at hand. Let this sink in. Read the Citizen Lab report and the paper by Lookout Security. Today I leave my soapbox be.


  1. I can’t recommend that you use Apple devices, but if you do, you should upgrade immediately; you are vulnerable to exploitation by simply visiting a malicious webpage.

  2. Called 0-days, because they haven’t been disclosed and there has been no time to prepare or release a fix.

  3. For other scum, see the organization behind FinFisher; and the group Hacking Team.