Apple has been under pressure to collaborate with its Silicon Valley rivals to defend itself against the common threat of surveillance technology after a report alleged that NSO Group’s Pegasus spyware was used to target journalists and human rights activists.
Amnesty International, which analyzed dozens of smartphones attacked by NSO customers, said that Apple’s marketing claims about the superior security and privacy of its devices had been “shattered” by the discovery of vulnerabilities even in the most recent versions of their devices. iPhone and iOS software.
“Thousands of iPhones have been potentially compromised,” said Danna Ingleton, deputy director of Amnesty’s technology unit. “This is a global concern: Anyone and everyone is at risk, and even tech giants like Apple are ill-equipped to deal with the massive scale of surveillance in question.”
Security researchers said Apple could do more to address the problem by working with other technology companies to share details about vulnerabilities and examine their software updates.
“Unfortunately, Apple does a poor job of that collaboration,” said Aaron Cockerill, chief strategy officer for Lookout, a mobile security provider. He described iOS as a “black box” compared to Google’s Android, where he said it was “much easier to identify malicious behavior.”
Amnesty worked with the non-profit journalistic group Forbidden Stories and 17 media partners on the “Pegasus Project” to identify suspected surveillance targets.
NSO, which has said its technology was designed to target only criminal or terrorist suspects, described the Project Pegasus claims as “false accusations” and “full of erroneous assumptions and unsubstantiated theories.”
The Amnesty investigation found that several attempts to steal data and eavesdrop on iPhones had been made through Apple’s iMessage using so-called zero-click attacks, which do not require the user to open a link.
Bill Marczak, a researcher at Citizen Lab, a nonprofit group that has extensively documented NSO’s tactics, said Amnesty findings suggested that Apple had a “major issue of five flashing red alarms with iMessage security.”
A similar type of Pegasus attack without clicking was identified using Facebook-owned WhatsApp messenger in 2019.
Will Cathcart, director of WhatsApp, called the latest disclosures a “wake-up call for Internet safety.” In a series of tweets, he pointed to actions taken by technology companies such as Google, Microsoft and Cisco that have tried to reject Pegasus and other commercial spyware tools.
But Apple, with whom Facebook has a long-standing dispute over iPhone privacy controls, was absent from its list of collaborators.
“We need more businesses, and fundamentally governments, to take action to hold the NSO Group accountable,” said Cathcart.
While Apple does “a great job protecting consumers,” Lookout’s Cockerill said, “it should collaborate more with companies like mine” to protect against attacks like Pegasus.
“The big difference between Apple and Google is transparency,” Cockerill said.
Apple insisted it collaborated with outside security researchers, but chose not to go public with the activities, which included paying millions of dollars a year in “security bounty” rewards for detecting vulnerabilities and providing its hardware to researchers. .
“For more than a decade, Apple has led the industry in security innovation, and as a result, security researchers agree that the iPhone is the safest and most secure consumer mobile device on the market,” Apple said in a statement.
“Attacks such as those described are highly sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals,” Apple continued. “While that means they are not a threat to the vast majority of our users, we continue to work tirelessly to defend all of our customers and are constantly adding new protections for their devices and data.”