This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
Last week, Motherboard demonstrated a piece of Android malware that can remotely turn on a smartphone's microphone, track the user's location, and intercept phone calls. When buying similar spyware for iPhones, attackers typically need to jailbreak the device first so they can then install unauthorized apps—a technical barrier that may take some time.
But companies do offer monitoring solutions for iPhones that apparently work on iOS 10 devices and don't require a jailbreak. Instead, they take advantage of another aspect of Apple products that some users may overlook—iCloud backups. Although the method isn't sophisticated, and the attacker requires a target's Apple ID and password, it still highlights the options available to someone trying to monitor their spouse using off-the-shelf tools.
"Keeping tabs on the online activities of kids and employees on all iOS devices has gotten even simpler as jailbreak is no longer a prerequisite for Mobistealth to work," the website for Mobistealth, the company that sells the monitoring tool, reads.
According to the website, Mobistealth's non-jailbroken iOS solution can monitor call logs and the phone's contact list, steal photos stored on the device, read all WhatsApp conversations, and remotely track the location of the phone using GPS. It can also log other communication apps, such as WeChat, Kik and LINE. (The company also sells spyware for jailbroken iPhones, normal Android devices, and computers.)
Mobistealth markets its products towards business owners that want to monitor employees, or to help parents keep tabs on their children. However, several other websites, which include Mobistealth branding, advertise spyware as suitable for monitoring a partner. A YouTube video, which includes a Mobistealth referral link, markets the product for spying on a "cheating spouse." In other words, even if a company doesn't explicitly state its tool can be used to snoop on partners, third-party affiliates, who can make money from promoting products, still do so.
Motherboard contacted Mobistealth and asked whether one could use the company's products to spy on their wife or lover.
"Yes," the representative said.
When pressed about whether a user would need to obtain the target's consent first for legal reasons, or whether one can just use it to target a device without permission, the representative said, "Yes, you can do that."
As mentioned, Mobistealth uses a non-jailbroken iPhone's iCloud backup to obtain its data. According to Apple's website, "iCloud backups include nearly all data and settings stored on your device."
An attacker needs the Apple ID and password of the phone they want to monitor. After registering that account with Mobistealth, the company will start pulling data straight away, Mobistealth's website reads. Ostensibly, the monitoring solution would no longer work if the password for the Apple ID was changed.
"Please note that iCloud backup is normally enabled on the device by default," it continues. An attacker does not need physical access to the device.
Apple did not respond to multiple requests for comment.
Some may think that requiring an Apple ID and password would make this attack fairly low risk, but that overlooks the complex threat many targets, especially victims of domestic violence, may face. An abuser can force a victim to give up their password; an attacker could provide the target with a pre-registered phone; or perhaps a married couple already shares passwords.
"You'll discover the thuth [truth] in a matter of matters," the caption of the affiliate YouTube video advertising Mobistealth's products reads.
If you are concerned that consumer spyware may have been installed on your phone, here is some basic advice on what to do next .
Update: This piece has been updated to add that the monitoring solution likely would no longer work if the Apple ID password was changed.