With the revelations of the Pegasus Project investigation has come the realisation that for all of Apple’s claims regarding the security of its phones, the iPhone is vulnerable to undetected infiltration.
Forensic evidence suggests the Pegasus spyware developed by Israel’s NSO Group used ‘zero-click’ attacks executed via Apple’s iMessage and FaceTime communications apps, the Apple Music streaming service, and Safari web pages to infiltrate the iPhones of journalists and activists.
Once in, Pegasus gains full access to the targeted iPhone or Android smartphone’s data, location, text messages, and contact lists, along with stored audio, video, and photo files. In effect, it gains, as a security expert put it, “often more control than the owner of the phone”.
Over the past few years, important people, and people who worry about the security of their devices, have moved to iPhones, especially since BlackBerry and Windows phones have faded into oblivion. So an attack targeting phones used by politicians, business leaders, and journalists will have a higher proportion of Apple devices.
In a statement condemning the attacks, Ivan Krstic, head of Apple Security Engineering and Architecture, said: “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Independent security researcher Anand Venkatanarayanan said that Apple’s claims about security enhancements notwithstanding, “there exist lots of smaller vulnerabilities”. This, he said, makes it “easier for NSO to either procure or develop exploits on their own”, which can sell for millions of dollars.
“NSO Group is a military-grade weapons manufacturer and just like any arms maker, they have to guarantee their customers that whatever they supply is going to work everywhere. And Android and iOS are the only two big markets out there,” Venkatanarayanan said.
According to Venkatanarayanan, multiple zero-day vulnerabilities have been found on iMessage over the last year and a half. With iOS 14, Apple tried to secure iMessage with BlastDoor, a sandbox technology designed to protect only the messaging system. It processes all incoming iMessage traffic and only passes on safe data to the operating system.
But as Amnesty International’s forensic analyses of iPhones infected with the Pegasus spyware showed, the NSO Group’s ‘zero-click’ attacks managed to bypass this. ‘Zero-click’ attacks do not require any interaction from the target, and according to Amnesty, they were observed on a fully patched iPhone 12 running iOS 14.6 until as recently as July 2021.
No device can claim to be 100 per cent secure, said ethical hacker and cybersecurity expert Nikhil S Mahadeshwar. “Every security has its own backdoor and even if the backdoor is private, there is a new methodology and a new technology to break that backdoor.” Why, for example, does Apple have a bug bounty programme when it claims its iPhones are “unhackable”, Mahadeshwar asked.
“There are two major ways through which the iPhone can be hacked — by jailbreaking, or via third party unauthorised iCloud backup, through which you can get to the user’s iMessages, WhatsApp chats, and contacts,” he said.
Apple sources said the company views security as a process — as part of which it quickly addresses critical vulnerabilities and provides security updates to users even on older devices. The sources said Apple had pioneered new protections like Pointer Authentication Codes and BlastDoor, and was working to improve these features to respond to new threats.
Both operating systems are equally vulnerable — or secure. However, only iPhones keep the data logs that makes it possible to carry out the analysis that is needed to detect possible spyware infection. It is not easy to detect Pegasus on Android, given the logs tend to get deleted after a year or so.
Pranesh Prakash, Affiliated Fellow at the Information Society Project at Yale Law School, said both iOS and Android are “vulnerable to various security exploits, and have robust programmes to counter these kinds of security vulnerabilities”. Spyware like “Pegasus have to keep evolving to different forms of security measures that Android and iOS take,” he said.
Why are such attacks becoming frequent? (Earlier instances of surveillance involving Pegasus were reported a couple of years ago.)
Venkatanarayanan said the nature of the smartphone market, dominated by two operating systems — iOS and Android — make it easier for companies like NSO Group to carry out attacks. “If you find one vulnerability, you can hit a major chunk of users. The scale of this monopoly — or duopoly — is such that there’s not much variability. Variability makes cyber offence operations harder,” he said.
Apple’s reputation as a safe and secure device has been dented by the Pegasus revelations. Apple has since highlighted how its security team has grown by about four times in the last five years, and now comprises many top experts from threat intelligence specialists and offensive security researchers to platform defence engineers and “everything in between”.
Tim Bajarin, tech analyst and chairman of Creative Strategies, said in an email: “…Apple needs to deal with this ASAP and serve as the example of correcting this exploit of their OS. Apple has weathered other security breaches in the past, and if they deal with it quickly and make sure this threat has been eliminated, they will regain their customers’ views of Apple’s security focus.”