According to a security expert who spent years investigating the hacks of Israeli businesses, iPhone spyware created by NSO ($1 billion) has exposed “major issues” in Apple iMessage security.
Citizen Lab and Amnesty International reported that they both witnessed a “zero-click” attack using multiple vulnerabilities on an iOS 14.6-patched iPhone 12 Pro Max in July 2021. This follows an alleged leakage of data about 50,000 potential targets by NSO’s Pegasus spy software. This included hacks of iMessage.
Citizen Lab researcher Bill Marczak told Forbes that Apple’s iOS could automatically run data in iMessages or attachments from strangers in some instances, which could expose users to risk.
He said, “That’s a recipe for disaster.” Apple should look at implementing something similar to Twitter and Facebook for their DMs. In this system, messages from strangers are somewhat hidden and filtered into a separate window by default.
Marczak says that this is not a problem right now for iPhone users. The target list compiled by non-profit organization Forbidden Stories focused mainly on individuals at high risk of government surveillance. This included journalists like Roula Khalaf, Financial Times editor, and people close to Jamal Khashoggi, the murdered journalist. The potential targets included heads of state. NSO has been repeatedly called out over the past five years after its tools were used to target Mexican lawyers, Saudi activists, and journalists around the globe. However, NSO claims that governments use its software to catch the most serious criminals, such as terrorists and pedophiles.
Marczak warned that if Apple does not stop this from happening, zero-click iMessage attacks like these will inevitably spread to hackers less skilled than cybercriminals. Marczak had previously tweeted that the Apple security mechanism BlastDoor was used to protect users against dangerous exploits. It is designed to separate content from iMessages in the event it contains malicious code or links. Some of the exploits were able to exploit ImageIO’s JPEG- and GIF-image-parsing capabilities. He tweeted, “More than a dozen serious bugs had hampered ImageIO in 2021.”
Apple believes that its tech protects users against text-based attacks. The tech giant stated that a website link sent via iMessage to a user wouldn’t reach a webpage to view a preview and only accept a static preview image sent by the sender. BlastDoor will treat these links as untrusted. Any code launched from these sites should only be run in a protected area of the operating system. This should prevent hacks from being found via a website link.
Apple condemns all cyberattacks on journalists, human rights activists, and anyone who seeks to improve the world. Apple has been the leader in security innovation for over a decade. Security researchers have concluded that iPhone is the most secure mobile device on the market.
Attacks such as the one described are sophisticated, expensive to develop, have a short shelf-life, and can be used to target specific people. They are not considered a threat by the vast majority of our users. However, we continue to fight for our customers and are constantly improving our protections for their data and devices.
According to the spokesperson, Apple’s next operating system will include further enhancements designed to combat sophisticated exploits. However, he didn’t go into detail.
NSO said that reports about a leak of spyware to 50,000 targets were false. This suggests that the Guardian was wrong. Publications such as The Guardian and Washington Post noted that just because a device is on the list of possible targets phones doesn’t necessarily mean that it was infected.
After reports that Khashoggi’s ex-wife, Hanan Elatr, and his fiancee Hatice Cengiz were both targeted, the company said its tools weren’t used to target them. According to reports, Khashoggi was involved with both women when he died. NSO previously stated that our technology was not connected in any way to the horrific murder of Jamal Khashoggi. Our technology was not used to listen to, monitor, track, or collect information about Jamal Khashoggi or any of his relatives. This claim was previously investigated and is now being presented without validation.”
It promised to continue to investigate all credible allegations of misuse and take appropriate action based upon the findings of these investigations.