A US R&D lab which developed iOS exploits and sold them to the government reportedly enabled three former intelligence community staff to create an espionage tool by providing the technology to the United Arab Emirates.

MIT Technology Review reported R&D company Accuvant was involved in a $1.3 million sale of an iOS exploit to the UAE. The company is now under the ownership of Optiv, which is not currently under investigation.

The trio of former US intelligence agreed to pay penalties totalling $1.6 million in a deferred prosecution agreement involving their roles in creating systems to hack iPhones on behalf of a UAE company.

In a statement on 14 September, the US Department of Justice described the three as “hackers for hire”, adding they created a system called Karma which accessed servers belonging to a US company to “obtain remote, unauthorised access to any of the tens of millions of smartphones and mobile devices” running iOS.

The DoJ stated Karma was a “zero-click hack”, meaning the owners of compromised iPhones did not have to open, download, or click anything to activate the software.

Karma was amended in 2017 in response to an iOS update, meaning devices running on older versions of the OS remained vulnerable, the DoJ stated.

Mark Lesko, acting assitant attorney general with the DoJ’s National Security Division, explained the trio’s criminal activity included creating a system to gain unauthorised access to devices, and providing defence-related services to a non-domestic company without a necessary licence.