HK’s privacy czar urges Apple users to update software on their devices ‘as soon as possible’ in light of spyware storm
Researchers find vulnerability in iOS that can be used by hackers to remotely install spyware on the iPhone and iPad
Hong Kong’s privacy czar has raised fears about the exposed weakness of Apple’s operating system for its smartphone and tablets, after researchers found new malicious software that can be remotely installed to quietly turn an iPhone into a digital spy.
Analysts said the discovery of a “zero-day exploit” – a hole in the software that can be used by hackers before a fix is made – showed that no system, not even Apple’s closely guarded proprietary iOS mobile platform, was safe from cyber attacks.
In a statement, privacy commissioner Stephen Wong Kai-yi expressed his concern about the vulnerability “given the popularity of iOS devices in Hong Kong”.
Wong urged iPhone and iPad users in the city “to update the iOS software on their devices to the latest version as soon as possible in order to fix the loophole”.
Beset by the tyranny of hackers, iPhone users around the world have rushed to download Apple’s latest security update on Friday. User must tap into “software update” under their device’s general settings to manually get the fix, which is iOS 9.3.5.
While Apple was quick to release its security update, the news threatened to knock the wind out of the company’s sails, amid its rumoured launch of new iPhone models in the next few weeks.
Retail worker Justin Kwok, 23, was unaware of the emerging problem for users, but said he was a fan of Apple because of the ease of use and strong security of its devices.
“I didn’t know about the security issue, but it sounds scary because my privacy will go out the window if someone takes my information,” Kwok said.
Another Apple device user, Joseph Lee, 40, shrugged off concerns because “there’s not much choice” between iOS and Android-based systems. “Android has so much trouble…and now we can’t live without phones.”
Canadian research group the Citizen Lab and mobile security firm Lookout in San Francisco, California, said their investigation found the exploit, called “Trident”, connected to the NSO Group, an Israel-based “cyber war” company that sells the Pegasus “lawful-intercept” spyware product.
Paul Haswell, a partner at international law firm Pinsent Masons, said the exploit works by having iPhone users follow a link, which then remotely “jailbreaks” their device to install software not sanctioned by Apple.
“The exploit then installs spyware, which can track the iPhone user’s movements, log encrypted messages, and discreetly activate the device’s camera and microphone.” Haswell said.
“It appears to be the type of malware which would be targeted at specific users rather than just out there in the wild.”
The user in Citizen Lab’s research is Ahmed Mansoor, a United Arab Emirates-based human rights activist, who received text messages on his iPhone with links purporting to be about tortured detainees in his country. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers.
“We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find,” Citizen Lab said.
“Remarkably, this case marks the third commercial ‘lawful intercept’ spyware suite employed in attempts to compromise Mansoor.”
Citizen Lab and Lookout said they swiftly initiated a responsible disclosure process by notifying Apple and sharing their findings.
“We were made aware of this vulnerability and immediately fixed it with [the update] iOS 9.3.5,” Apple said in a statement.
“We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits.”
Major mobile network operators in Hong Kong were quick to respond to the news of the exploit, as iPhone remains the city’s top-selling smartphone brand.
Hutchison Telecommunications Hong Kong, which operates the “3” brand mobile service in the city and in Macau, said it has informed frontline staff about the iOS security update so they can answer customer inquiries.
“We believe that handset manufacturers must closely monitor potential phone security issues and release upgrades when necessary,” a Hutchison Telecoms spokesman said.
A spokesman for HKT, the largest mobile network operator in Hong Kong, said all mobile users must “take appropriate precautions and actions, such as software upgrades”.
HKT’s total mobile subscribers, comprising those in its premium 1010, mainstream CSL and low-cost “Sun Mobile” brands reached 4.445 million at the end of June.
Sandy Shen, a research director with Gartner in Shanghai, pointed out that “no operating system is 100 per cent secure or hacker-proof – this will never happen”.
The spyware issue, however, has come at a time when the iPhone is faced with stiff competition from domestic brands on the Chinese mainland, the world’s largest smartphone market and Apple’s second-biggest geographic market.
Technology research firm IDC recently reported the mainland’s top-five smartphone suppliers in the second quarter were Huawei Technologies, Oppo Electronics, Vivo, Xiaomi and Apple.
New Chinese smartphone brands have already started making security a key feature in their premium-priced models to convince its target customers to adopt their device and ditch the iPhone.
Shenzhen-based smartphone maker Gionee said its new M6 flagship model is the world’s first smartphone built with a dedicated encryption chip.
“Our phone with an encrypted chip could secure users’ personal data much better than others” Gionee president William Lu said.
Lu said the device was especially designed for security conscious Chinese businessmen and senior government officials on the mainland.
Xiaohan Tay, a senior market analyst with IDC, said the security exploit will not have a significant impact on the demand for iPhones in Hong Kong and the mainland.
“There is still a general trust [from consumers] for iOS and I believe most consumers are confident that … Apple will take the necessary steps to resolve this,” Tay said.
Pinsent Masons’ Haswell added that Apple’s iOS tends to have a better reputation for being secure than Google’s Android operating system.
“This is predominantly because Apple’s operating system is a “walled garden”, making it impossible for users to install third-party software outside of those available on Apple’s online App Store,” Haswell said.
Jerrem Ng, a senior associate at Clifford Chance in Sydney, said cyber threats “do not discriminate between jurisdictions, so the response needs to be swift and global”, crediting Apple for the speedy response.
Additional reporting by Alice Woodhouse