Apple has come under pressure to collaborate more with its Silicon Valley rivals in order to fend off the common threat of surveillance technology, after a report alleged that NSO Group’s Pegasus spyware was used to target journalists and human rights activists.
Amnesty International, which analysed dozens of smartphones targeted by clients of NSO, said Apple’s marketing claims about its devices’ superior security and privacy had been “ripped apart” by the discovery of vulnerabilities in even the most recent versions of its iPhones and iOS software.
“Thousands of iPhones have potentially been compromised,” said Danna Ingleton, deputy director of Amnesty’s tech unit. “This is a global concern — anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.”
Security researchers say that Apple could do more to tackle the problem by working with other tech companies to share details about vulnerabilities and vet their software updates.
“Apple unfortunately do a poor job at that collaboration,” said Aaron Cockerill, chief strategy officer at Lookout, a mobile security provider, describing iOS as a “black box” compared with Google’s Android, where it is “much easier to identify malicious behaviour”.
Amnesty worked with the journalism non-profit Forbidden Stories and 17 media partners on the “Pegasus Project” to identify alleged targets of surveillance.
NSO, which says its technology was designed only to target criminal or terrorist suspects, has described the Pegasus Project’s claims as “false allegations” and “full of wrong assumptions and uncorroborated theories”.
Amnesty’s research found that several attempts to steal data and eavesdrop on iPhones had been made through Apple’s iMessage using so-called “zero-click” attacks, which work without the user needing to tap a link.
Bill Marczak, research fellow at Citizen Lab, a non-profit group that has extensively documented NSO’s tactics, said Amnesty’s findings suggested that Apple had a “major blinking red five-alarm-fire problem with iMessage security”.
A similar kind of “zero-click” Pegasus attack was identified using Facebook-owned WhatsApp messenger in 2019.
Will Cathcart, head of WhatsApp, called the latest disclosures a “wake-up call for security on the internet”. In a series of tweets, he pointed to steps from tech companies including Google, Microsoft and Cisco that have sought to push back against Pegasus and other commercial spyware tools.
But Apple, with whom Facebook has a long-running feud over the iPhone’s privacy controls, was absent from his list of collaborators.
“We need more companies, and, critically, governments, to take steps to hold NSO Group accountable,” Cathcart said.
While Apple does “a great job protecting consumers”, said Lookout’s Cockerill, it “should be more collaborative with firms like my own” to protect against attacks such as Pegasus.
“The big difference between Apple and Google is transparency,” Cockerill said.
Apple insisted it did collaborate with external security researchers, but chose not to publicise the activities. That included paying out millions of dollars a year in “security bounty” rewards for spotting vulnerabilities and providing its hardware to researchers.
“For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” Apple said in a statement.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Apple continued. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”