Pegasus/NSO: iPhone to Spy Phone

on

Why do we dig deep and shell out for those – undoubtedly overpriced – MacBooks or the latest iPhone or iPad? Two reasons – they work seamlessly and they’re secure.

Apple has long championed itself as a champion of privacy locking users into its walled ecosystem and users are usually happy to put up with its tiresome quirks – shipping its latest iPhone without a charger, its expensive accessories and the inability to modify your device. 

Apple was among the first to provide end-to-end encryption on consumer devices and has long been a proponent of privacy-first initiatives like on-device processing and data minimisation, measures that make iOS-powered devices difficult for most hackers to attack.

In contrast, Google’s Android operating system gives users plenty of options to tinker and modify the code and is more open to exploitation. 

While never naming it, Apple’s senior vice president of software engineering Craig Frederighi clearly had Android in mind in a speech he gave last December to the European Data Protection and Privacy Conference.

“They gather, sell, and hoard as much of your personal information as they can. The result is a data-industrial complex, where shadowy actors work to infiltrate the most intimate parts of your life and exploit whatever they can find—whether to sell you something, to radicalise your views, or worse.”

In April Apple introduced its iOS 14.5 update that enabled users to deny permission to apps that track them – doubling down, to the horror of ad-driven companies like Facebook, on those privacy concerns.

All in all Apple’s privacy-first branding seemed to be going well until details of the Pegasus attack came to light earlier this month. 

That attack saw the Israeli based company NSO – essentially a billion dollar state-actor – install spyware on up to 37 smartphones, iPhones among them, according to the Washington Post, all of them specifically targeted.

That “worse” Frederighi referred to, has come to pass.

Yesterday Apple unexpectedly released iOS 14.7.1 and iPadOS 14.7.1 – recommending that users download it as a matter of urgency. 

It’s not saying publicly that this is a result of the Pegasus attack, but the timing of the release is suspect.

All Apple is saying is that “An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.”

In real world terms that means that, thanks to the NSO, messages, emails, contact details, GPS location, calendar entries and other information can be extracted from a targeted iPhone in a matter of minutes.

iPhone to Spy Phone

In a way, Apple has been a victim of its own success.

Its reputation for security has made its iPhones the go-to device to those who may be dealing with sensitive information in their work-life – journalists, NGO employees, politicians, human rights activists and the like – and, predictably, it was these very people who were targeted by Pegasus’ ingenious malware; malware that the NSO – despite its protestations of only selling to “vetted government agencies” – appears ready to sell to the highest bidder.

This is a long way from an app tracking you or a hacker trying to steal credit card numbers and the attack has bruised a company that cites privacy as one of its key values.

The breadth of the attacks which were uncovered by the Guardian and 16 other media organisations, is eye-opening.

French prosecutors have begun an investigation due to President Macron allegedly being targeted and Amnesty International identified that at least 180 journalists around the world were impacted by Pegasus.

And it’s been going on for at least five years according to the report

Further, owning the latest iPhone won’t save you; the Pegasus software is quite capable of exploiting an iPhone 12 running iOS 14.6. And victims would have no idea their device was compromised. The malware didn’t require users to click a link – just receiving the message was enough to become a victim.

Hackers target iOS

“Apple’s self-assured hubris is just unparalleled,” Patrick Wardle, a former NSA employee and founder of the Mac security developer Objective-See, told the Guardian in wake of the attack.

“They basically believe that their way is the best way… I have no idea if my iPhone is hacked. My Mac computer on the other hand: yes, it’s an easier target. But I can look at a list of running processes; I have a firewall that I can ask to show me what programs are trying to talk to the internet. Once an iOS device is successfully penetrated, unless the attacker is very unlucky, that implant is going to remain undetected.”

While Android users can take steps to employ added protection Apple users can’t. 

The only thing standing in the way of your iPhone and a hacker is Apple itself and, up until now, that has been good enough. 

The Pegasus saga highlights the fact that, faced with a company with unlimited dollars at its disposal, one that empowers – and pays – a swathe of unscrupulous security experts to do its dirty work – my colleague Stuart MacIntosh has written a great piece on why the hacker market is booming – even Apple is vulnerable.

No wonder the company rushed out that update – its security engineering chief Ivan Krstić commenting that – “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.”

But surely, Ivan, those are the very individuals who should be able to trust that their data is safe and secure. 

If it isn’t the results can be devastating; repressive governments will pay big money for working iPhone exploits.

Take the case of murdered Mexican journalist Cecilio Pineda Birto whose number Amnesty International found on the NSO list.

So, is your beloved iPhone still the safest, most secure consumer mobile device on the market? Yes – after all is said and done – it probably is – but thanks to the NSO, Apple’s just been given a big wake-up call. Now, go and download that update!