It is one of the technological battles of the 21st century – in which every mobile phone user has a stake.
In one corner, Apple, which has more than a billion active iPhones being used across the world. In the other, companies such as Israel’s NSO Group, developing spyware designed to defeat the most sophisticated security and privacy measures.
And while Apple says it is keeping pace with surveillance tools that are used to attack its phones – it boasts of creating “the most secure consumer platform in the world” – research undertaken as part of the Pegasus project paints a more worrying picture.
The malware, it appears, has been one step ahead.
That, at least, is the conclusion of new technical research by Amnesty International, which suggests that even the most up-to-date iPhones running the latest operating system have still been penetrated by NSO Group’s Pegasus spyware.
This has led to some people’s mobiles being turned into portable surveillance devices, giving complete access to numbers, text messages, photos. Everything.
The disclosure points to a problem security researchers have been warning about for years: that despite its reputation for building what is seen by millions of customers as a secure product, some believe Apple’s closed culture and fear of negative press have harmed its ability to provide security for those targeted by governments and criminals.
“Apple’s self-assured hubris is just unparalleled,” said Patrick Wardle, a former NSA employee and founder of the Mac security developer Objective-See. “They basically believe that their way is the best way. And to be fair … the iPhone has had incredible success.
“But you talk to any external security researcher, they’re probably not going to have a lot of great things to say about Apple. Whereas if you talk to security researchers in dealing with, say, Microsoft, they’ve said: ‘We’re gonna put our ego aside, and ultimately realise that the security researchers are reporting vulnerabilities that at the end of the day are benefiting our users, because we’re able to patch them.’ I don’t think Apple has that same mindset.”
The concern about the vulnerability of mobile devices is one aspect highlighted by the Pegasus project, a collaborative journalism investigation coordinated by Forbidden Stories.
With the technical support of Amnesty International, the project has investigated a leaked list of tens of thousands of mobile phone numbers – linked to both Apple and Android handsets.
While it was only possible to test a fraction of the phones that were listed for potential surveillance, the scale of what appears to have been a pool of possible targets suggests that customers of the world’s most sophisticated spyware company have not been deterred by security advances made by companies such as Apple.
Most experts agree that the iPhone’s greatest vulnerability is also one of its most popular features: iMessage, which Apple announced earlier this year it had sought to bolster. One method the company has used is to create a feature called BlastDoor, which screens suspect messages before they delve too deeply into a phone.
But even those advances have not kept iPhone users safe.
“We have seen Pegasus deployed through iMessage against Apple’s latest version of iOS, so it’s pretty clear that NSO can beat BlastDoor,” said Bill Marczak, a fellow at Citizen Lab, a cybersecurity analysts’ unit based at the University of Toronto. “Of course, developing security features is still important. Each new measure raises the cost to hack devices, which can price out less sophisticated attackers.”
According to Wardle, the security features that Apple boasts about are a double-edged sword. “iMessage is end-to-end encrypted, which means that nobody is going to see you throwing that exploit. From the attacker’s point of view, that’s lovely,” he said.
A similar problem exists on the device: unlike a Mac, or an Android phone, security researchers are denied the ability to see what their devices are actually doing.
“Once an attacker is inside, they, he or she can almost leverage the device’s security against the user,” Wardle said. “So, for example, I have no idea if my iPhone is hacked. My Mac computer on the other hand, I would say, yes, it’s an easier target, but I can look at a list of running processes, I have a firewall product that I can ask what is allowed to talk to the internet.”
That opacity may even undercut Apple’s claim that attacks “often have a short shelf life”. Because researchers find it very difficult to examine the inner workings of an iPhone, “unless the attacker is very unlucky, that implant is going to remain on the device, likely undetected”, Wardle said.
Claudio Guarnieri, the head of Amnesty’s Security Lab, said there was “no doubt” that NSO spyware could infect the most recent version of iOS. While Apple had done a lot of work to improve security, he said, it was natural the company would always fall behind thousands of attackers who were “always a step ahead”.
“There’s always going to be someone who is very talented out there, motivated by the high remuneration they get from finding these [security] issues, working in all possible ways to bypass and find workarounds to these mitigations,” Guarnieri said.
Another Citizen Lab researcher, John Scott-Railton, said it was important for companies such as Apple to defend against threats by “constantly tracking them” and anticipating what might come next. “If you don’t do that, you can’t really build a secure product, because as much as you talk about what potential threats exist against your platform, lots of clever people will find threats that you don’t know [about],” he said.
Even as Apple’s peers in the tech industry have begun to cry foul on advances by companies such as NSO, and have claimed they pose a grave threat to cybersecurity, Apple has largely stayed out of the fray. In a recent court submission filed in support of WhatsApp, the messaging app that is suing NSO Group in California, companies from Microsoft to Cisco created a coalition and filed a statement saying NSO made ordinary people less safe. Apple did not join the submission.
The partners in the Pegasus project put a series of questions to Apple.
In a statement, the iPhone maker said: “Apple unequivocally condemns cyber-attacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market.”
Apple also said that security was a dynamic field and that its BlastDoor was not the end of its efforts to secure iMessage.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” it said. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
The Washington Post reporter Craig Timberg contributed to this report.