The gloomy world of private spyware has caused alarm for a long time in cybersecurity circles, as authoritarian governments have been caught repeatedly targeting the smartphones of activists, journalists, and political rivals with malware purchased from unscrupulous brokers. The surveillance tools these companies provide frequently target iOS and Android, which have apparently been unable to keep up with the threat. But a new report suggests that the scale of the problem is much larger than feared, and has put additional pressure on mobile technology makers, particularly Apple, from security researchers seeking solutions.
This week, an international group of researchers and journalists from Amnesty International, Forbidden Stories and more than a dozen other organizations published forensic evidence that various governments around the world, including Hungary, India, Mexico, Morocco, Saudi Arabia and the United Arab Emirates, may be clients of the well-known Israeli spyware provider NSO Group. Investigators studied a leaked list of 50,000 phone numbers associated with activists, journalists, executives and politicians who were all potential surveillance targets. They also specifically analyzed 37 devices infected or attacked by NSO’s Pegasus invasive spyware. They created a tool so you can check if your iPhone has been compromised.
The NSO Group called the investigation “false allegations by a media consortium” in a heavily worded denial on Tuesday. An NSO Group spokesperson said: “The list is not a list of Pegasus targets or possible targets. The numbers on the list are not related to NSO Group in any way. Any claim that a name on the list is necessarily related to a Pegasus target or potential target is wrong and false. ” On Wednesday, the NSO Group said it would no longer respond to media inquiries.
NSO Group is not the only spyware provider out there, but it does have the highest profile. WhatsApp sued the company in 2019 about what it claims were attacks on more than a thousand of its users. And Apple’s BlastDoor feature, inserted In iOS 14 earlier this year, it was an attempt to eliminate “zero-click vulnerabilities,” attacks that require no tapping or downloading from victims. The protection does not appear to have worked as well as expected; The company released an iOS patch to address the latest round of alleged NSO Group hacks on Tuesday.
Looking to the report, many security researchers say that both Apple and Google can and should do more to protect their users against these sophisticated surveillance tools.
“It definitely shows challenges in general with mobile device security and investigative capabilities these days,” says independent researcher Cedric Owens. “I also think that seeing NSO’s Android and iOS zero-click infections shows that motivated and resourceful attackers can still succeed the amount of control Apple applies to its products and ecosystem.”
Tensions have long boiled between Apple and the security community over limits on the ability of investigators to conduct forensic investigations on iOS devices and implement monitoring tools. Greater access to the operating system would potentially help detect more attacks in real time, allowing researchers to gain a deeper understanding of how those attacks were constructed in the first place. For now, security researchers are relying on a small set of indicators within iOS, in addition to occasional leak. And while Android is more open by design, it also places limits on what is known as “observability.” Effectively fighting high-caliber spyware like Pegasus, some researchers say, would require things like access to read a device’s file system, the ability to examine what processes are running, access to system logs, and other telemetry.
Much criticism has focused on Apple in this regard, because historically the company has offered stronger security protections for its users than the fragmented Android ecosystem.
“The truth is that we hold Apple to a higher standard precisely because they are doing so much better,” says SentinelOne Principal Threat Investigator Juan Andrés Guerrero-Saade. “Android is free for everyone. I don’t think anyone expects Android security to improve to a point where all we need to worry about are targeted attacks with zero-day exploits. “
In fact, Amnesty International researchers say they actually found it easier to find and investigate indicators of compromise on Apple devices targeted with Pegasus malware than on those running standard Android.
“In Amnesty International’s experience, there are many more forensic traces accessible to investigators on Apple iOS devices than on standard Android devices, so our methodology focuses on the former,” the group wrote in an extensive technical analysis of his findings on Pegasus. “As a result, the most recent cases of confirmed Pegasus infections have involved iPhones.”
Part of the focus on Apple also comes from the company’s own emphasis on privacy and security in the design and marketing of its products.
“Apple is trying, but the problem is that they are not trying as hard as their reputation implies,” says Johns Hopkins University cryptographer Matthew Green.
However, even with its more open approach, Google faces similar criticism about the visibility security researchers can get into its mobile operating system.
“Android and iOS have different types of records. It’s really hard to compare them, ”says Zuk Avraham, CEO of analytics group ZecOps and a longtime advocate for access to mobile system information. “Each has an advantage, but they are not enough either and allow threat actors to hide.”
However, Apple and Google seem reluctant to reveal more about forensic digital sausage making. And while most independent security researchers advocate for change, some also acknowledge that increased access to system telemetry would help bad actors, too.
“While we understand that persistent logs would be more useful for forensic uses such as those described by Amnesty International researchers, they would also be useful for attackers,” a Google spokesperson said in a statement to WIRED. “We constantly balance these different needs.”
Ivan Krstić, Apple’s head of security engineering and architecture, said in a statement that “Apple unequivocally condemns cyberattacks against journalists, human rights activists and others who seek to make the world a better place. For more than a decade, Apple has led the industry in security innovation, and as a result, security researchers agree that the iPhone is the most secure consumer mobile device on the market. Attacks such as those described are highly sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals. While that means they are not a threat to the vast majority of our users, we continue to work tirelessly to defend all of our customers and are constantly adding new protections for their devices and data. “
The trick is to find the right balance between offering more system indicators without inadvertently making the attackers’ job easier. “There are many things that Apple could be doing in a very safe way to allow observation and imaging of iOS devices in order to detect this type of misbehavior, but that does not seem to be treated as a priority,” says the researcher iOS security. Will Strafach. “I am sure they have just political reasons for this, but it is something that I do not agree with and I would love to see changes in this way of thinking.”
Thomas Reed, director of Mac and mobile platforms at antivirus maker Malwarebytes, says he agrees that a greater understanding of iOS would benefit user defenses. But he adds that allowing special and reliable monitoring software would carry real risks. It points out that there are already suspicious and potentially unwanted programs in macOS that antivirus cannot completely remove because the operating system gives them this special kind of trust in the system, potentially in error. The same problem with rogue systems analysis tools would almost inevitably crop up on iOS as well.
“We also see nation-state malware all the time on desktop systems that are discovered after several years of deployment without being detected,” adds Reed. “And that is in systems where there are already many different security solutions available. Many eyes looking for this malware are better than few. I am only concerned about what we would have to trade for that visibility.”
Project Pegasus, as the consortium of researchers calls the new findings, underscores the reality that Apple and Google are unlikely to solve the threat posed by private spyware vendors on their own. The scale and scope of Pegasus’ potential targets indicate that a global ban on private spyware may be necessary.
“A moratorium on the intrusion software trade is the bare minimum for a credible response: mere classification,” said NSA surveillance whistleblower Edward Snowden. tweeted on Tuesday in reaction to the Project Pegasus findings. “Anything less and the problem gets worse.”
On Monday, Amazon Web Services took his own step shutting down the cloud infrastructure linked to NSO.
Regardless of what happens to the NSO Group in particular, or the private surveillance market in general, user devices remain, ultimately, where clandestine targeted attacks from any source will unfold. Even if Google and Apple cannot be expected to solve the problem themselves, they must keep working on a better way forward.
This story originally appeared in wired.com.