There was a time – not very long ago – when only tech specialists had heard of spy software like Pegasus. But if you go to a party these days, there’s a decent chance that the guests will end up talking about tapped iPhones. And it’s hard to think of a more obvious sign that something has gone seriously wrong for Apple.
The frightening thing about the Pegasus revelations is the idea of unseen surveillance. Obviously, Pegasus developer NSO and the countries using its software are more interested in the contents of phones belonging to heads of state, activists and political journalists than those of the average iPhone owner – but it’s a scary thought that they could take a look if they wanted. (If you’re worried, read how to check if your iPhone is infected by NSO’s Pegasus spyware.)
Pegasus can and has been used on Android phones, but considerably more attention has been paid to the fact that it works on iPhones. The Washington Post describes how the iPhone 11 of the wife of a Moroccan dissident was hacked by sending her an iMessage: a so-called zero-click attack that took place while she was in France. Even updating to the latest version of iOS appears to offer no protection.
Perhaps this preoccupation with the iPhone is a little unfair on Apple, which always seems to cop more than its fair share of negative headlines (on Macworld US the Macalope pushes back on this perception and calls the threat “much ado about Android”) but it’s also not totally unwarranted, because the Cupertino company itself has worked so hard to create an image of the iPhone as the ultimate paragon of security and privacy.
Ingenious hackers or careless Apple?
In the recent past, the iPhone was considered largely safe from attacks by hackers and governmental secret services: even lawyers and journalists too naively trusted Apple’s promise that nobody could access the data on their devices. But the relevant question is not how that happened; the question is whether you can blame Apple. Is Apple simply the victim of ingenious hackers, or could we accuse Cupertino of a mixture of false advertising promises, negligence and greed?
There have already been reactions from Apple: Cupertino denies that the threat affects many users. The attacks are too sophisticated for that, according to Ivan Krstić, Apple’s head of security engineering and architecture. The attack methods reported have a very short lifespan and cost millions to develop. As a result, only a small number of high-value individuals would be attacked in this way; it would not pose a threat to the vast majority of users.
That argument is not entirely wrong. The database of 50,000 telephone numbers does not allow watertight conclusions to be drawn about the number of people being monitored, but it’s believed that NSO’s approximately 60 customers have almost a hundred people monitored each year.
These relatively low numbers will be of little consolation, however, to victims such as Hatice Cengiz, Jamal Khashoggi’s fiancee. According to analysis by Amnesty International’s Security Lab, Cengiz’s iPhone was hacked several times just four days after the journalist and dissident was murdered – although NSO denies this.
Like many iPhone users, Cengiz will have asked why she was told the device was safer than other phones. Apple has repeatedly promised a high level of data security. Some people wonder whether these are empty promises.
Problems with iMessage
Pegasus does not use third-party programs to access iPhones. The victims are often attacked via Apple apps such as Messages (iMessage), Apple Music, Photos, FaceTime and Safari, and the research by Amnesty International shows that it’s iMessage that provides the vulnerabilities used by the hackers.
According to experts, Apple has great problems removing vulnerabilities from iMessage. One reason seems to be that the app is constantly being provided with new functions such as Memoji and stickers, which continuously provide new potential points of attack – each new function makes the app more attractive to users but also more susceptible to hackers. There are also convenient aspects that make attacks easier: for example, the ability (and plausibility) of a stranger sending you a message.
Apple knows about these problems. To deal with them it leans on new security features such as BlastDoor, which automatically checks image files and web previews and is intended to protect against malware.
But BlastDoor may not be enough. Some security experts recommend disabling iMessage entirely.
Dealing with vulnerabilities
There is obviously room for improvement in dealing with vulnerabilities.
Apple runs a bug bounty programme, offering to pay independent researchers who report system flaws. This is a sensible idea, but Apple seems stingy and hesitant in the way it deals with bug reports. The developer Nicolas Brunner, for example, has described the programme as a lie; he reported a bug to Apple and the process dragged on for 14 months and was ultimately ignored. “As of today,” he writes, “Apple refuses any bounty payment, although the report at hand very clearly qualifies according to their own guidelines.”
This is especially egregious because researchers who find iOS flaws know they can get paid by the other side. The companies that NSO works with will pay big rewards for iOS vulnerabilities.
Apple often gets in its own way. For example, the company’s marketing department is believed to pose an obstacle to consistently high security standards because – according to a former employee – it insists on the use of certain predetermined messages when communicating with external security experts.
Apple is of course not the only smartphone manufacturer under attack. As mentioned earlier, Pegasus didn’t spare Android smartphones. In fact, the effect on Android can be worse, because the traces of Pegasus are more difficult to identify on that platform. This may be why iPhones were so prominent among identified cases.
But what can Apple do? The company appears to have been careless in directing a firehose of new features at iMessage, and needs to make its chat app more secure. Its relationship with security researchers could be improved with a tiny financial outlay and a little goodwill when vulnerabilities are discovered.
It may be worthwhile for Apple to set up an active vulnerability-searching organisation in the vein of Google’s Threat Analysis Group. With such an organisation, Apple could not only provide more security, but also improve its image. However, Apple’s marketing department would probably veto the plan – which gives an idea of the fundamental problem.
This article originally appeared on Macwelt. Translation by David Price.
