Reuters on Wednesday published details about a once powerful exploit for iOS devices called Karma that has been used on behalf of United Arab Emirates (UAE) to hack iPhones around the world since the beginning of 2016.
The Karma attack was revealed in two reports detailing a Reuters investigation into former US National Security Agency intelligence operatives who’ve been working as contractors for the UAE under Project Raven since 2014.
The former US government hackers reportedly used tools for exploiting highly valuable zero-day flaws in iOS to spy on human rights activists, journalists and political enemies.
In Reuters accompanying report into the US-assisted UAE project, former Raven operatives from the US describe the importance of Karma, how the tool was used, and the information it helped them acquire.
Lori Stroud, a former NSA and Booz Allen Hamilton worker, who revealed her work on Project Raven, was also involved in bringing Edward Snowden to his NSA contracting role just months before he leaked details about NSA hacking tools and activities to the media in 2013.
According to Reuters sources, the UAE bought Karma from a company that was outside UAE but the publication couldn’t determine Karma’s creator.
Stroud said the ability to use Karma to hack iPhones “was like Christmas”. It allowed operatives to remotely access content on iPhones by uploading phone numbers or email accounts to an automated targeting system. Karma was valuable because it require almost no user interaction to exploit a vulnerability in iMessage on iOS.
Users of Karma didn’t know exactly how the vulnerability was exploited, but three former Raven operatives said it relied partly on a flaw in iMessage, Apple’s messaging app that’s available on macOS and iOS.
According to Reuters: “They said the flaw allowed for the implantation of malware on the phone through iMessage, even if the phone’s owner didn’t use the iMessage program, enabling the hackers to establish a connection with the device.
“To initiate the compromise, Karma needed only to send the target a text message — the hack then required no action on the part of the recipient.”
Now jailed Emirati activist Ahmed Mansoor in August 2016 revealed via Citizen Lab that he received website links in text messages on his iPhone that he suspected was an attack. Citizen Lab reported that the links belonged to infrastructure owned by controversial Israel-based cybersecurity firm NSO Group, which sells lawful intercept spyware products.
After investigating Mansoor’s report, Citizen Lab reported three zero-day vulnerabilities in iOS to Apple that could have given an attacker a remote jailbreak, a rare and highly valued exploit.
Citizen Lab noted that zero-day broker Zeodium, which is famous for offering millions for remote iOS hacks, reported acquiring a similar set of vulnerabilities targeting iOS 9 vulnerabilities for $1 million in November 2015. Zerodium founder Chauki Bekrar at the time denied the attacks used the vulnerabilities his company acquired.
According to Reuters sources, by the end of 2017 Karma far less effective because of Apple's security updates to iOS.