Apple is coming in for some criticism over its security posture after NSO Group malware is seen … [+]
iPhone spyware made by $1 billion surveillance company NSO has exposed “major” issues in Apple iMessage security, according to a security expert who has spent years researching the Israeli business’ hacks.
Reports from Amnesty International and Citizen Lab, following on from an alleged leak of data on 50,000 potential targets of NSO’s Pegasus spy tool, claimed that they had both seen a so-called “zero-click” attack exploiting numerous vulnerabilities in a fully patched iPhone 12 Pro Max running iOS 14.6 in July 2021. That included hacks of iMessage.
Bill Marczak, researcher at Citizen Lab, told Forbes that in some cases Apple’s iOS will automatically run data within iMessages and attachments, even when they’re from strangers, which could put users at risk.
“That’s a recipe for disaster,” he said. “Apple should consider implementing something similar to what Twitter or Facebook have for their DMs, where messages from strangers are somewhat hidden, and filtered into a separate pane by default.”
Right now, Marczak adds, this isn’t a problem for the average iPhone user, as the target list acquired by nonprofit organization Forbidden Stories mainly focused on people at high risk of government surveillance, from journalists like Financial Times editor Roula Khalaf to people close to murdered journalist Jamal Khashogghi. Heads of state were also reportedly on the potential target list. NSO has repeatedly been called out in the last five years after its tools were seen targeting Mexican lawyers, Saudi activists and journalists across the world, though it claims its software is used to help governments catch the most egregious criminals like terrorists and pedophiles.
“But if Apple doesn’t nip this in the bud, these sorts of zero-click iMessage attacks will inevitably proliferate to less sophisticated hackers, such as cybercriminals,” Marczak warned. He’d previously tweeted that an Apple security mechanism called BlastDoor, designed to segment content in iMessage in case it contained malicious links or code, was not protecting users from such dangerous exploits. He noted that some of the exploits abused ImageIO and its JPEG and GIF image-parsing features. “ImageIO has had more than a dozen high-severity bugs reported against it in 2021,” he tweeted.
Apple, however, believes its tech is doing a good job at protecting users from text-based attacks. For instance, the tech giant said that if a website link is sent to a user via iMessage, it won’t reach out to a webpage to get a preview of the site and only accepts a static preview image from the sender. BlastDoor will treat these as untrusted and any code from those sites that launches should only run in a separate, protected part of the operating system. That should block any hacks being launched by a website link.
“Apple unequivocally condemns cyberattacks against journalists, human rights activists and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” a spokesperson for the Cupertino tech giant said.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
The next iteration of Apple’s operating system should come with further improvements designed to counter sophisticated exploits, the spokesperson added, but didn’t elaborate.
NSO, meanwhile, said reports of a leak of 50,000 targets of its spyware were “false,” suggesting to The Guardian that they were based on “uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story.” Publications, including the Washington Post and The Guardian, noted that just because an individual’s device was on the list of possibly targeted phones didn’t mean their phone was ever infected with the Pegasus spyware.
The company denied its tools were used to target Khashogghi family members, after reports suggested that both his former wife, Hanan Elatr, and fiancee Hatice Cengiz were targeted before and after his death. (Khashogghi was reportedly involved with both women at the time of his death.) “As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi. We can confirm that our technology was not used to listen, monitor, track or collect information regarding him or his family members mentioned in your inquiry. We previously investigated this claim, which, again, is being made without validation.”
It pledged to continue to “investigate all credible claims of misuse and take appropriate action based on the results of these investigations.”
I’m associate editor for Forbes, covering security, surveillance and privacy. I’m also the editor of The Wiretap newsletter, which has exclusive stories on real-world
I’m associate editor for Forbes, covering security, surveillance and privacy. I’m also the editor of The Wiretap newsletter, which has exclusive stories on real-world surveillance and all the biggest cybersecurity stories of the week. It goes out every Monday and you can sign up here: https://www.forbes.com/newsletter/thewiretap
I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice, Wired and the BBC, amongst many others.
Tip me on Signal / WhatsApp / whatever you like to use at +447782376697. If you use Threema, you can reach me at my ID: S2XY9B9U.
If you want to tip me with something sensitive? Get in contact on Signal or Threema, and we can use OnionShare. It’s a great way to share documents privately. See here: https://onionshare.org/