Attempts or successful instances of installing the spyware were made on 37 phones, out of which 34 were iPhones.

Apple logo on a building, bokeh in foreground from lights on a tree
Atom Pegasus row Tuesday, July 20, 2021 - 19:44

The Pegasus project by Paris-based journalism nonprofit Forbidden Stories and Amnesty International found information on attempts to introduce the spyware — some instances successful, others not — onto phones of politicians, journalists, activists and bureaucrats. The spyware is only sold to governments by Israeli firm NSO Group. In India, The Wire reported that over 300 Indian phone numbers had been verified, and these include ones used by ministers, journalists, bureaucrats, politicians, activists and others. 

The one common theme that was found was that many people on the list used iPhones. Reports in The Wire stated that phones of journalists were compromised with the software through Apple’s iMessage system. Phones were impacted through ‘zero-click’ attacks, which doesn’t require any action by the person whose phone is being surveilled. These exploit “zero-day” vulnerabilities in a phone’s operating system, which the manufacturer is usually unaware of. This method delivers the spyware directly onto the phone without any indication, and the spyware can collect call records, location logs, passwords, contacts and all other information that is on the phone. In fact, it can even control the camera and microphone too. 

Amnesty Tech’s Deputy Director Danna Ingleton said that Apple prides itself on security and privacy, but NSO has “ripped these apart”.

“Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised,” she said. 

Citizen Lab, which peer-reviewed the findings of Forbidden Stories and Amnesty International, showed that it can affect even the latest iPhones. Amnesty said that among the Apple products that were successfully infected were iPhone 11 and iPhone 12 models, which are equipped with the latest updates and were believed to have high levels of security.  

It said: “Citizen Lab independently documented NSO Pegasus spyware installed via successful zero-day zero-click iMessage compromises of an iPhone 12 Pro Max device running iOS 14.6, as well as zero-day zero-click iMessage attacks that successfully installed Pegasus on an iPhone SE2 device running iOS version 14.4, and a zero-click (non-zero-day) iMessage attack on an iPhone SE2 device running iOS 14.0.1.”

Bill Marczak, a research fellow with Citizen Lab, said on Twitter that this indicates that Apple has “a MAJOR blinking red five-alarm-fire problem with iMessage security”.

This is also an issue because Apple sells its phone with privacy and security as features, especially superior to that of its competitors. 

Exploiting iMessage for zero-click attacks has been documented before, according to Citizen Lab. iMessage is available, by default, on all Apple devices. 

According to the Washington Post, Amnesty examined 67 phones, and found attempts or successful instances of installing the spyware on 37 phones. Out of these, 34 were iPhones, and 23 of these had indications that the attempt was successful.

Ivan Krstić, head of Apple Security Engineering and Architecture, said in a statement that the attack is not a threat to an overwhelming majority of users. 

“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” he said.

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data,” he added. 

It may not be a threat to an overwhelming majority at the moment, but there are fears that it could be more widespread in the future. 

Citizen Lab’s Marczak told Forbes that if Apple doesn’t tackle this now, “these sorts of zero-click iMessage attacks will inevitably proliferate to less sophisticated hackers, such as cybercriminals.”

“This is a global concern – anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand,” Amnesty Tech’s Dana Ingleton said.

Journalists from the consortium combed through a list of more than 50,000 cell phone numbers, identifying more than 1,000 individuals in 50 countries. They include 189 journalists, 85 human rights activists and several heads of state. Among the journalists were employees of The Associated Press, Reuters, CNN, The Wall Street Journal, Le Monde and The Financial Times.

Become a TNM Member for just Rs 999!
You can also support us with a one-time payment.