NurPhoto | Getty Images
Apple has come under pressure to work with its Silicon Valley competitors to tackle the general threat posed by surveillance technology after a report alleged that NSO Group’s Pegasus spyware was used against journalists and human rights activists.
Amnesty International, which has analyzed dozens of smartphones attacked by NSO customers, said Apple’s marketing claims about the superior security and privacy of its devices were “torn apart by the discovery of vulnerabilities in even the latest versions of its iPhones and iOS software “.
“Thousands of iPhones have been potentially compromised,” said Danna Ingleton, assistant director of Amnesty’s technical department. “This is a global concern – everyone is at risk, and even tech giants like Apple are ill-equipped to deal with massive surveillance.”
Security researchers said Apple could do more to address the problem by working with other technology companies to share details of security vulnerabilities and review their software updates.
“Apple is doing a bad job with this collaboration,” said Aaron Cockerill, chief strategy officer at Lookout, a mobile security provider. He described iOS as a “black box” compared to Google’s Android, where it was “much easier to detect malicious behavior”.
Amnesty worked with the non-profit journalism group Forbidden Stories and 17 media partners on the Pegasus Project to identify suspected surveillance targets.
NSO, which said its technology is only intended for criminal or terrorist suspects, described the Pegasus Project’s claims as “false allegations” and “full of false assumptions and unconfirmed theories”.
Amnesty’s research revealed that multiple attempts to steal data and wiretap iPhones were made via Apple’s iMessage using so-called zero-click attacks that did not require the user to open a link.
Bill Marczak, a research fellow at Citizen Lab, a nonprofit group that has extensively documented NSO’s tactics, said Amnesty’s findings indicated that Apple had a “major red blink-five-alarm-fire problem with the iMessage -Security “had.
A similar type of zero-click Pegasus attack was identified in 2019 using Facebook’s own WhatsApp messenger.
Will Cathcart, head of WhatsApp, called the recent revelations a “wake up call for security on the Internet”. In a series of tweets, he pointed to moves by technology companies like Google, Microsoft and Cisco that have tried to roll back Pegasus and other commercial spyware tools.
But Apple, with whom Facebook has a long-standing feud over the privacy controls of the iPhone, was missing from its list of collaborators.
“We need more companies, and especially governments, to take steps to hold the NSO Group accountable,” said Cathcart.
While Apple is “doing a great job protecting consumers,” said Lookout’s Cockerill, “it should work more closely with companies like mine” to protect itself from attacks like Pegasus.
“The big difference between Apple and Google is transparency,” said Cockerill.
Apple insisted on working with outside security researchers, but chose not to publicize the activities, including paying out millions of dollars a year in “security rewards” for finding security holes and making its hardware available to researchers.
“Apple has been a leader in security innovation for over a decade, and security researchers agree that the iPhone is the safest and most secure mobile device on the market,” Apple said in a statement.
“Attacks like the one described are sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” continued Apple. “While they pose no threat to the overwhelming majority of our users, we continue to work tirelessly to keep all of our customers safe and we are constantly adding new safeguards to their devices and data.”
© 2021 The Financial Times Ltd. All rights reserved. May not be redistributed, copied or modified in any way.