In early August, Ahmed Mansoor, an Emirati human rights activist, received a suspicious test. It told him that there were new details of torture within the state prison system, along with a link to follow if he wanted to learn more. If Mansoor had clicked on that link, his phone would have been jailbroken on the spot. From there, hackers would have implanted his phone with malware that was capable of logging encrypted messages, activating the microphone, and tracking the phone's movements.
The entire attack is detailed in a new report from security companies Citizen Lab and Lookout Security, who have received the link from Mansoor. This new attack targets three previously undisclosed vulnerabilities within iOS, allowing access to kernel memory, kernel privileges, and arbitrary code execution. When those things are combined, an iOS device can be remotely jailbroken - something that has long been sought-after but hasn't been successfully used in any known campaigns.
Citizen Lab and Lookout reported the vulnerabilities to Apple, and fixes for the problem have already been patched with today’s release of iOS 9.3.5.
Citizen Lab has been able to link the attack to private Israeli spyware group NSO, although we still don't know how they found out they could even do this. Earlier this year, exploit broker Zerodium offered and awarded a $1 million bounty or remote jailbreaking capabilities. This is similar to what was used against Mansoor.
Apple recently launched its own reward system to encourage people to disclose any vulnerabilities that they found, with this highest bounty up to $200,000.