A US Research and Development lab, Accuvant which developed iOS exploits and sold them to the government is said to have enabled three former US intelligence staff to create an access for the United Arab Emirates (UAE) to spy on iPhone users across the globe. 

US-based MIT Technology Review reported that Accuvant was involved in a $1.3 million sale of an iOS exploit to a company in the UAE.

The three former US intelligence staff reportedly agreed to pay penalties totaling $1.6 million in a deferred prosecution agreement involving their roles in creating systems to hack iPhones on behalf of a UAE company.

Acting Assistant Attorney-General with the DoJ’s National Security Division, Mark Lesko, explained that the trio’s criminal activity included creating a system to gain unauthorized access to devices, and providing defense-related services to a non-domestic company without a necessary license.

In a statement on 14 September, the US Department of Justice (DoJ) said the three “hackers for hire” created a system called Karma, which accessed servers belonging to a US company to “obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices across the globe” running iOS.

The DoJ stated Karma was a “zero-click hack”, meaning the owners of compromised iPhones did not have to open, download, or click anything to activate the software.

It noted that Karma was amended in 2017 in response to an iOS update, meaning devices running on older versions of iOS remained vulnerable.