UAE's 'Karma' hack tool spied on iPhones just by sending a text, report says

Spies for the United Arab Emirates stole photos and messages without victims needing to click anything, Reuters reports.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
James Martin/CNET

A hacking tool enabled the United Arab Emirates' government to spy on iPhone users with just a text message, according to a Wednesday report by Reuters.  

Called Karma, the tool let spies steal photos, messages, emails and location data from iPhones by uploading victims' email accounts or phone numbers to an automated system, the report said.

The cyberattack worked through iMessage, and the spies simply needed to send a victim a text message; the target didn't need to click on anything or open the message.

The UAE government bought the tool from an outside country, and the attacks were carried out by former US intelligence operatives working as contractors for the UAE, including ex-operatives with the National Security Agency, Reuters reported. Targets reportedly included human rights activists, political dissidents and leaders of rival nations.

The spies used Karma from 2016 to 2017, targeting hundreds of victims, until a security patch from Apple hampered the tool's effectiveness, Reuters said.

Neither the UAE nor Apple responded to a request for comment.

The NSA said all its former employees "are subject to the same post-employment restrictions that govern other former civil servants employed by the intelligence community" and that "under no circumstance would the agency request that an individual, contractor, foreign government or other US government agency engage in activities on its behalf that the NSA would not itself be authorized to undertake."

Nation-states often buy and use powerful hacking tools to spy. For many political dissidents, keeping devices secure from hacks can be a life or death matter.

Last March, researchers detailed a global hacking campaign they said involved the Lebanese General Security Directorate. The effort reportedly set sights on victims by tricking them into downloading replica apps filled with malware. The Security Directorate said at the time that it didn't have such capabilities.

Researchers have also found that in 2016 Israeli company the NSO Group was providing spyware to nation-states to steal data from activists' iPhones. The company has said it obeys applicable laws.

Tools for hacking can be expensive. Leaked documents showed that one country paid $32 million to the NSO Group for spyware that could take control of a device's phone and camera.

In the above examples, the state-sponsored hacks required victims to fall for a trap, whether it was clicking on a link or downloading a malicious app. With Karma, all the hackers needed to do was send a text message, widening the scope of who the UAE could spy on.

Security flaws in Apple devices are rare, and knowledge of them can be so valuable that even though Apple offers bug bounties of up to $200,000, third parties have offered bounties for up to $500,000 to hand the flaws over to them instead.

The report on Karma comes as Apple is reeling over a major FaceTime security flaw. The bug, first reported by 9to5Mac on Monday, allowed FaceTime users to listen in on a call's recipient even if he or she didn't accept the call.

Apple said it was releasing a patch this week to fix the Group FaceTime vulnerability, and that it has temporarily disabled Group FaceTime until then.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Apple: See what's up with the tech giant.