The Trident hack is regarded as the most sophisticated iPhone hack to date. It has been dubbed “Trident” because of taking advantage of three previously unknown flaws in Apple’s security elements. After opening a malicious link via text message, hackers are able to view and record a phone’s text messages, calls, location, passwords, and use the phone’s camera. It can also collect information from apps like Facebook, FaceTime, Line, Skype, and others. Even apps featuring end-to-end encryption like WhatsApp lose their security advantages when one of the ‘end’ devices is compromised at the root level that Trident is capable of.
Who was affected?
Virtually anyone with an iPhone. Though the targets of Trident were journalists and aid workers. Because of the high cost of this software, customers (governments) tend to use this technology sparingly on high-value targets- to avoid it getting into the “wrong hands” of course.
How was it discovered?
The Trident hack first piqued the interest of Ahmed Mansoor, a human rights activist in the UAE, after receiving two suspicious text messages. The first, which he ignored at the time, was on August 10. The next day he received a second text with a link that claimed to have details on detainees in UAE jails. Being the target of “lawful intercept” malware in the past, this raised his suspicions and he subsequently forwarded them to researchers at Citizen Lab in the University of Toronto’s Munk School of Global Affairs.
Citizen lab then linked up with Lookout, a mobile security company. Together, they were able to trace the malware back to NSO Group, an Israeli firm that openly sells software that tracks mobile phones- most often to governments. NSO Group denies any knowledge of this particular and told the Washington Post, “The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations.” They added, “The agreements signed with the company’s customers require that the company’s products only be used in a lawful manner. Specifically, the products may only be used for the prevention and investigation of crimes.”
So, who launched Trident?
It’s notoriously difficult to give attribution to cyber-attacks. Though we know who likely made the malware, determining who launched the attack is a different matter. The finger can be pointed in several directions, but there is very little evidence to support any accusations. Citizen Lab and Lookout can’t even ascertain for certain how long the Trident exploits have been around, but underlying code in the malware suggests that it dates back to iOS version 7, in 2013.
How did Trident work?
The end results of the Trident malware are similar to the ones used in Stagefright, which targeted Android mobile phones. However, with Stagefright there was no link, a text message had to only be received in order for Stagefright to take root.
Trident works on the back of Stagefright’s iOS counterpart, Pegasus. Like with what happened with Mansoor, a user is enticed to click on a very appealing link. The exploit begins once opened in a web browser and the page is loaded. It reaches deep down into the iOS to take hold of the root of the device, in effect jailbreaking the phone. This allows the hacker to monitor everything the owner of the device does. The hacker can these cause catastrophic data loss, monitor, and record calls, texts, emails, as well as virtually any app installed on the phone, or even use the camera and microphone without the owner knowing. It also has a modular design that allows for customization for different apps and to work in various countries.
When the mobile security company that teamed up with Citizen Lab, Lookout, announced the discovery on its blog it said, “Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile—always connected (Wi-Fi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists,” and “uses strong encryption to evade detection.”
Are iPhones still at risk from Trident?
The timing of the discovery came just 10 days before a scheduled update launch. The team at Apple was able to develop patches to rid the iOS system of the vulnerabilities. As long as your iPhone is version 9.3.5 or higher, then your iPhone is no longer vulnerable. If you own an iPad make sure it is also version 9.3.5 or higher.
To check your devices just go to Settings> General> Software Update.