Tue. Apr 16th, 2024

‘Karma’ Inside the iPhone Hack Used by the UAE


Ateam of former U.S. government intelligence operatives working for the United Arab Emirates hacked into the iPhones of activists, diplomats and rival foreign leaders with the help of a sophisticated spying tool called Karma, in a campaign that shows how potent cyber-weapons are proliferating beyond the world’s superpowers and into the hands of smaller nations.

The cyber tool allowed the small Gulf country to monitor hundreds of targets beginning in 2016, from the Emir of Qatar and a senior Turkish official to a Nobel Peace laureate human-rights activist in Yemen, according to five former operatives and program documents reviewed by Reuters. The sources interviewed by Reuters were not Emirati citizens.

Karma was used by an offensive cyber operations unit in Abu Dhabi comprised of Emirati security officials and former American intelligence operatives working as contractors for the UAE’s intelligence services. The existence of Karma and of the hacking unit, code named Project Raven, haven’t been previously reported. Raven’s activities are detailed in a separate story published by Reuters today.

The ex-Raven operatives described Karma as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said.

In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the hackers harvest saved passwords, which could be used for other intrusions.

It isn’t clear whether the Karma hack remains in use. The former operatives said that by the end of 2017, security updates to Apple Inc’s iPhone software had made Karma far less effective.

Lori Stroud, a former Raven operative who also previously worked at the U.S. National Security Agency, told Reuters of the excitement when Karma was introduced in 2016. “It was like, ‘We have this great new exploit that we just bought. Get us a huge list of targets that have iPhones now,’” she said. “It was like Christmas.”

The disclosure of Karma and the Raven unit comes amid an escalating cyber arms race, with rivals such as Qatar, Saudi Arabia and the UAE competing for the most sophisticated hacking tools and personnel.

Tools like Karma, which can exploit hundreds of iPhones simultaneously, capturing their location data, photos and messages, are particularly sought-after, veterans of cyberwarfare say. Only about 10 nations, such as Russia, China and the United States and its closest allies, are thought to be capable of developing such weapons, said Michael Daniel, a former White House cybersecurity czar under President Obama.

Karma and similar tools make personal devices like iPhones the “juiciest of targets,” said Patrick Wardle, a former National Security Agency researcher and Apple security expert.

A spokeswoman for UAE’s Ministry of Foreign Affairs declined to comment.

Apple Inc declined to comment.


The former Raven insiders said Karma allowed the operatives to gather evidence on scores of targets — from activists critical of the government to regional rivals, including Qatar, and the UAE’s ideological opponent, the Islamic political Muslim Brotherhood movement.

It also granted them access to compromising and at times sexually explicit photos of targets. The material was described to Reuters in detail but reporters didn’t inspect it. Reuters saw no evidence that the UAE leaked damaging materials discovered through Karma.

Raven was largely staffed by U.S. intelligence community veterans, who were paid through an Emirati cybersecurity firm named DarkMatter, according to documents reviewed by Reuters. The company did not respond to numerous emails and phone calls requesting comment. The NSA declined to comment on Project Raven.

The UAE government purchased Karma from a vendor outside the country, the operatives said. Reuters could not determine the tool’s creator.

The operatives knew how to use Karma, feeding it new targets daily, in a system requiring almost no input after an operative set its target. But the users did not fully understand the technical details of how the tool managed to exploit Apple vulnerabilities. People familiar with the art of cyber espionage said this isn’t unusual in a major signals intelligence agency, where operators are kept in the dark about most of what the engineers know of a weapon’s inner workings.

Three former operatives said they understood Karma to rely, at least in part, on a flaw in Apple’s messaging system, iMessage. They said the flaw allowed for the implantation of malware on the phone through iMessage, even if the phone’s owner didn’t use the iMessage program, enabling the hackers to establish a connection with the device.

To initiate the compromise, Karma needed only to send the target a text message — the hack then required no action on the part of the recipient. The operatives could not determine how the vulnerability worked.

A person with direct knowledge of the deal confirmed Karma’s sale to the Emiratis from an outside vendor, details of its capabilities and its reliance on an iMessage vulnerability.

The Raven team successfully hacked into the accounts of hundreds of prominent Middle East political figures and activists across the region and, in some cases, Europe, according to former Raven operatives and program documents.


In 2017, for instance, the operatives used Karma to hack an iPhone used by Qatar’s Emir Sheikh Tamim bin Hamad al-Thani, as well as the devices of Turkey’s former Deputy Prime Minister Mehmet Şimşek, and Oman’s head of foreign affairs, Yusuf bin Alawi bin Abdullah. It isn’t clear what material was taken from their devices.

Şimşek, who stepped down from his position in July, told Reuters the cyber intrusion on his phone was “appalling and very disturbing.” The Washington embassies of Qatar, Oman and Turkey did not respond to multiple emails and calls requesting comment about the targeting of political figures in their countries.

Raven also hacked Tawakkol Karman, a human rights activist known as the Iron Woman of Yemen. Informed by Reuters she had been targeted, she said she believes she was chosen because of her leadership in the Arab Spring protests, which erupted around the region in 2011 and led to the ousting of Egyptian President Hosni Mubarak.

For years she had received repeated notifications from social media accounts, warning that she had been hacked, she told Reuters. But the fact that Americans helped the Emirati government monitor her was shocking, she said.

Americans are “expected to support the protection of human rights defenders and provide them with all protection and security means and tools,” she said, “not to be a tool in the hands of tyrannies to spy on the activists and to enable them to oppress their peoples.”


UAE’s ‘Karma’ hack tool spied on iPhones just by sending a text, report says

Spies for the United Arab Emirates stole photos and messages without victims needing to click anything, Reuters reports.

A hacking tool enabled the United Arab Emirates’ government to spy on iPhone users with just a text message, according to a Wednesday report by Reuters.

Called Karma, the tool let spies steal photos, messages, emails and location data from iPhones by uploading victims’ email accounts or phone numbers to an automated system, the report said.

The cyberattack worked through iMessage, and the spies simply needed to send a victim a text message; the target didn’t need to click on anything or open the message.

The UAE government bought the tool from an outside country, and the attacks were carried out by former US intelligence operatives working as contractors for the UAE, including ex-operatives with the National Security Agency, Reuters reported. Targets reportedly included human rights activists, political dissidents and leaders of rival nations.

The spies used Karma from 2016 to 2017, targeting hundreds of victims, until a security patch from Apple hampered the tool’s effectiveness, Reuters said.

Neither the UAE nor Apple responded to a request for comment.

The NSA said all its former employees “are subject to the same post-employment restrictions that govern other former civil servants employed by the intelligence community” and that “under no circumstance would the agency request that an individual, contractor, foreign government or other US government agency engage in activities on its behalf that the NSA would not itself be authorized to undertake.”

Nation-states often buy and use powerful hacking tools to spy. For many political dissidents, keeping devices secure from hacks can be a life or death matter.

Last March, researchers detailed a global hacking campaign they said involved the Lebanese General Security Directorate. The effort reportedly set sights on victims by tricking them into downloading replica apps filled with malware. The Security Directorate said at the time that it didn’t have such capabilities.

Researchers have also found that in 2016 Israeli company the NSO Group was providing spyware to nation-states to steal data from activists’ iPhones. The company has said it obeys applicable laws.

Tools for hacking can be expensive. Leaked documents showed that one country paid $32 million to the NSO Group for spyware that could take control of a device’s phone and camera.

In the above examples, the state-sponsored hacks required victims to fall for a trap, whether it was clicking on a link or downloading a malicious app. With Karma, all the hackers needed to do was send a text message, widening the scope of who the UAE could spy on.

Security flaws in Apple devices are rare, and knowledge of them can be so valuable that even though Apple offers bug bounties of up to $200,000, third parties have offered bounties for up to $500,000 to hand the flaws over to them instead.

The report on Karma comes as Apple is reeling over a major FaceTime security flaw. The bug, first reported by 9to5Mac on Monday, allowed FaceTime users to listen in on a call’s recipient even if he or she didn’t accept the call.

Apple said it was releasing a patch this week to fix the Group FaceTime vulnerability, and that it has temporarily disabled Group FaceTime until then.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Apple: See what’s up with the tech giant.

Alfred Ng headshot

This US company sold iPhone hacking tools to UAE spies

An American cybersecurity company was behind a 2016 iPhone hack sold to a group of mercenaries and used by the United Arab Emirates.

When the United Arab Emirates paid over $1.3 million for a powerful and stealthy iPhone hacking tool in 2016, the monarchy’s spies—and the American mercenary hackers they hired—put it to immediate use.

The tool exploited a flaw in Apple’s iMessage app to enable hackers to completely take over a victim’s iPhone. It was used against hundreds of targets in a vast campaign of surveillance and espionage whose victims included geopolitical rivals, dissidents, and human rights activists.

Documents filed by the US Justice Department on Tuesday detail how the sale was facilitated by a group of American mercenaries working for Abu Dhabi, without legal permission from Washington to do so. But the case documents do not reveal who sold the powerful iPhone exploit to the Emiratis.

Two sources with knowledge of the matter have confirmed to MIT Technology Review that the exploit was developed and sold by an American firm named Accuvant. It merged several years ago with another security firm, and what remains is now part of a larger company called Optiv. News of the sale sheds new light on the exploit industry as well as the role played by American companies and mercenaries in the proliferation of powerful hacking capabilities around the world.

Optiv spokesperson Jeremy Jones wrote in an email that his company has “cooperated fully with the Department of Justice” and that Optiv “is not a subject of this investigation.” That’s true: The subjects of the investigation are the three former US intelligence and military personnel who worked illegally with the UAE. However, Accuvant’s role as exploit developer and seller was important enough to be detailed at length in Justice Department court filings.

The iMessage exploit was the primary weapon in an Emirati program called Karma, which was run by DarkMatter, an organization that posed as a private company but in fact acted as a de facto spy agency for the UAE.

Reuters reported the existence of Karma and the iMessage exploit in 2019. But on Tuesday, the US fined three former US intelligence and military personnel $1.68 million for their unlicensed work as mercenary hackers in the UAE. That activity included buying Accuvant’s tool and then directing UAE-funded hacking campaigns.

The US court documents noted that the exploits were developed and sold by American firms but did not name the hacking companies. Accuvant’s role has not been reported until now.

Accuvant was not the focus of the investigation because the sale it made was licensed and legal. A source with close knowledge of the development and sale of the exploit says that Accuvant was explicitly “directed” to make the sale of the exploit by a US intelligence agency and that the company did not know it would be used for foreign espionage. The court documents then describe manipulation of the exploit by the mercenaries to make it a more powerful tool for the UAE’s purposes.

“The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity,” Bryan Vorndran, assistant director of the FBI’s Cyber Division, said in a statement. “This is a clear message to anybody, including former US government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company—there is risk, and there will be consequences.”

Prolific exploit developer

Despite the fact that the UAE is considered a close ally of the United States, DarkMatter has been linked to cyberattacks against a range of American targets, according to court documents and whistleblowers.

Helped by American partnership, expertise, and money, DarkMatter built up the UAE’s offensive hacking capabilities over several years from almost nothing to a formidable and active operation. The group spent heavily to hire American and Western hackers to develop and sometimes direct the country’s cyber operations.

At the time of the sale, Accuvant was a research and development lab based in Denver, Colorado, that specialized in and sold iOS exploits.

“The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity. This is a clear message to anybody… there is risk, and there will be consequences.”

Brandon Vorndran, FBI

A decade ago, Accuvant established a reputation as a prolific exploit developer working with bigger American military contractors and selling bugs to government customers. In an industry that typically values a code of silence, the company occasionally got public attention.

“Accuvant represents an upside to cyberwar: a booming market,” journalist David Kushner wrote in a 2013 profile of the company in Rolling Stone. It was the kind of company, he said, “capable of creating custom software that can enter outside systems and gather intelligence or even shut down a server, for which they can get paid up to $1 million.”

Optiv largely exited the hacking industry following the series of mergers and acquisitions, but Accuvant’s alumni network is strong—and still working on exploits. Two high-profile employees went on to cofound Grayshift, an iPhone hacking company known for its skills at unlocking devices.

Accuvant sold hacking exploits to multiple customers in both governments and the private sector, including the United States and its allies—and this exact iMessage exploit was also sold simultaneously to multiple other customers, MIT Technology Review has learned.

iMessage flaws

The iMessage exploit is one of several critical flaws in the messaging app that have been discovered and exploited over recent years. A 2020 update to the iPhone’s operating system shipped with a complete rebuilding of iMessage security in an attempt to make it harder to target.

The new security feature, called BlastDoor, isolates the app from the rest of the iPhone and makes it more difficult to access iMessage’s memory—the main way in which attackers were able to take over a target’s phone.

iMessage is a major target of hackers, for good reason. The app is included by default on every Apple device. It accepts incoming messages from anyone who knows your number. There is no way to uninstall it, no way to inspect it, nothing a user can do to defend against this kind of threat beyond downloading every Apple security update as soon as possible.

BlastDoor did make exploiting iMessage harder, but the app is still a favorite target of hackers. On Monday, Apple disclosed an exploit that the Israeli spyware company NSO Group had reportedly used to circumvent BlastDoor protections and take over the iPhone through a different flaw in iMessage. Apple declined to comment.

UAE used deadly spying tool to snoop on iPhones used by prominent activists and diplomats

The barrage of bad news for the iPhone keeps coming.

The barrage of bad news for the iPhone keeps coming.

Reuters has published(Opens in a new window) a semi-worrisome report about how a team of former U.S. intelligence agents working for the UAE used a cyber tool called Karma to spy on iPhones used by “activists, diplomats and rival foreign leaders” simply by “uploading phone numbers or email accounts into an automated targeting system.”

Karma reportedly allowed the UAE to “monitor hundreds of targets beginning in 2016, from the Emir of Qatar and a senior Turkish official to a Nobel Peace laureate human-rights activist in Yemen.”

The spying tool, purchased by the UAE from an unnamed vendor, is described as seemingly easy to use and works in conjunction with a security hole that can be exploited within iOS, the software which the iPhone runs.

The tool is said to only work on iPhones and not Android devices, and takes advantage of a security flaw within iMessage. According to the former operatives, the exploit injected malware through the messaging platform to “establish a connection with the device”. Karma is then used to send a text message to the target iPhone to gain access to private data stored on it.

Per Reuters:

“In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the hackers harvest saved passwords, which could be used for other intrusions.”

One thing Karma can’t do is intercept phone calls, according to the operatives who spoke with Reuters.