A super cyber-weapon, dubbed Karma, was a tool that allowed the small Gulf country to monitor hundreds of targets beginning in 2016, from the Emir of Qatar and a senior Turkish official to a Nobel Peace laureate human-rights activist in Yemen, according to five former operatives and program documents reviewed by Reuters. The sources interviewed by Reuters were not Emirati citizens.
Karma was used by an offensive cyber operations unit in Abu Dhabi comprised of Emirati security officials and former American intelligence operatives working as contractors for the UAE’s intelligence services. The existence of Karma and of the hacking unit, code named Project Raven, haven’t been previously reported. Raven’s activities are detailed in a separate story published by Reuters today.
The ex-Raven operatives described Karma as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said.
In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the hackers harvest saved passwords, which could be used for other intrusions.
It isn’t clear whether the Karma hack remains in use. The former operatives said that by the end of 2017, security updates to Apple's iPhone software had made Karma far less effective.
Lori Stroud, a former Raven operative who also previously worked at the U.S. National Security Agency, told Reuters of the excitement when Karma was introduced in 2016. "It was like, ‘We have this great new exploit that we just bought. Get us a huge list of targets that have iPhones now," she said. "It was like Christmas."
The disclosure of Karma and the Raven unit comes amid an escalating cyber arms race, with rivals such as Qatar, Saudi Arabia and the UAE competing for the most sophisticated hacking tools and personnel.
Three former operatives said they understood Karma to rely, at least in part, on a flaw in Apple’s messaging system, iMessage. They said the flaw allowed for the implantation of malware on the phone through iMessage, even if the phone’s owner didn’t use the iMessage program, enabling the hackers to establish a connection with the device. You could read more of this story here.
About Making Comments on our Site: Patently Apple reserves the right to post, dismiss or edit any comments. Those using abusive language or negative behavior will result in being blacklisted on Disqus.