Apple security under scrutiny amid fallout from NSO spyware scandal
Reports that NSO Group’s Pegasus spyware was used by governments to spy on Apple iPhones used by journalists, activists, government officials and business executives are becoming a global controversy for NSO, Apple and a number of governments at the center of the scandal.
Amnesty International and Forbidden Stories – a Paris-based nonprofit media group that works with journalists – said earlier this week that users of the spyware developed by Israel were able to hack into iPhone 11 and iPhone 12 devices, as well. than Android devices, tens of thousands of people – including a number of world leaders. The software has even been linked to the disappearance of Princess Latifa from the United Arab Emirates.
The software is designed to allow users to remotely extract data – emails, messages, and photos – from devices, as well as record calls and activate microphones and cameras. They can also grab the conversations that happen on social media apps like WhatsApp. NSO Group has maintained for years that Pegasus is intended to help governments and law enforcement agencies tackle global threats such as crime and terrorism, but it is becoming evident that software has also been turned into a weapon by hostile parties.
Journalists, government officials targeted
As first reported in The Guardian, a major data breach revealed a list of more than 50,000 phone numbers of people who have been in the crosshairs of NSO customers since 2016, including more than 180 journalists around the world. The revelations suggest that some Pegasus users, such as authoritarian governments, were using the spyware to track people who were not criminals or terrorists.
This included people such as French President Emmanuel Macron and hundreds of other heads of state and government officials, whose phone numbers were on the list obtained by Amnesty International and Forbidden Stories as part of Project Pegasus. The Israeli government has reportedly created a group to oversee damage control while other governments in places such as Hungary and Saudi Arabia are criticized for using spyware.
The impact of the emerging scandal continues to be felt. The main public cloud provider Amazon Web Services (AWS) has disabled all accounts linked to the Israeli company.
Apple under fire
Apple, which for years has been loudly touting the security of its iPhones, is under pressure to work more closely with other device makers to push back on technology like Pegasus.
In a statement to reporters, Apple officials said the company has worked with security experts outside the company, which has made the iPhone “the most secure and most secure consumer mobile device. most secure on the market “. They also sought to allay concern that Pegasus’ situation is a widespread problem.
“Attacks like the ones described are very sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals,” the statement from Apple said. “While this means that they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all of our customers, and we are constantly adding new protections for their devices and data. “
However, Danna Ingleton, deputy director of Amnesty Tech, said in a statement that “Apple is proud of its security and privacy features, but NSO Group has torn them apart. Our forensic analysis uncovered compelling evidence that, thanks to the iMessage click-less attacks, NSO spyware successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised. … It is a global concern. Everyone is in danger, and even tech giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.
Mobile security, confidentiality at stake
Oliver Tavakoli, CTO of cybersecurity company Vectra, said ESecurity planet that “it’s clear that the iMessage iOS service is a bit of a mess from a security standpoint.
“Apple has added more and more functionality to it and every piece of functionality has the potential for exploitable vulnerabilities,” Tavakoli said. Also, the fact that iMessage does not distinguish how it handles incoming messages from known contacts versus complete strangers opens up phones for exploitation from anywhere. Accepting message processing from n Anything is equivalent to managing a network connected to the Internet without a firewall.
For Setu Kulkarni, vice president of strategy at NTT Application Security, now is the time to rally with tech companies as they push back software like Pegasus, adding that “the line between acceptable surveillance (if at all) and the intrusion on privacy is very slim. . “
“For Apple and other manufacturers, this is a watershed moment to engage more with governments to create more checks and balances while making their platform more impenetrable to bad actors,” Kulkarni said. ESecurity planet. “For lawmakers, it is also a moment of judgment to create consequences for the misuse of these public services.”
The NSO group pushes back
In a statement, officials at the NSO Group denied the accusations in Forbidden Stories’ initial report, saying they are based on “flawed assumptions and unsubstantiated theories that raise serious doubts about the reliability and interests of sources “. The company claimed that the data provided to the group is “based on a misleading interpretation of accessible and obvious basic information data, such as HLR research services, which has no bearing on Pegasus’ target customer list. or any other NSO product “.
These services are available to anyone at any time and are commonly used by governments, they said.
However, NSO Group has also been linked to other privacy scandals, including the hacking of Amazon founder Jeff Bezos and journalist Jamal Khashoggi, a US resident murdered at the Saudi Embassy in Turkey. Both incidents occurred in 2018. A year later, Facebook sued the company in a case involving a zero-day vulnerability in WhatsApp that targeted devices used by journalists, political activists and others. Google, Microsoft and Cisco Systems filed briefs in support of the lawsuit.
In 2020, the FBI began investigating the company for possibly spying on citizens and groups in the United States.
Researchers at Lookout, an endpoint-to-cloud security company, have watched Pegasus evolve since he first spotted him in 2016, according to chief strategy officer Aaron Cockerill.
“It has advanced to the point of running on the target’s mobile device without requiring any user interaction, meaning the operator only has to send the malware to the device, ”Cockerill said. ESecurity planet. “Considering the number of apps that iOS and Android devices have with messaging functionality, this could be done through SMS, email, social media, third-party messaging, games or dating apps. “
There is a trend that the techniques used by the NSO Group are adopted by the mainstream surveillance and spyware vendors, which could lead to putting such powerful tools in the hands of many people. This is similar to the trend towards ransomware-as-a-service, which has allowed people with little experience to launch such attacks, he said.
“Mobile devices continue to be a primary attack vector for cybercriminals,” Cockerill said. “Mobile malware, surveillance software and ransomware can destroy infrastructure and track our every move, as attackers target people where they are most vulnerable. Business leaders with access to market data, technological research and infrastructure are very valuable targets.
While mobile devices such as iOS and Android smartphones have become an integral part of everyday life, “they need to be secure with as much, if not more, of priority than any other device,” he said. “As smartphones continue to evolve, security continues to improve. However, so does the breadth and complexity of the existing software code base, with millions of lines of code that need to be secured. “
Also Read: How Zero Trust Security Can Protect Against Ransomware