Amnesty International has revealed that NSO Group, an Israeli ‘surveillance as a service’ company, has created and sold a nasty iMessage attack that can be used to spy on journalists, activists, and political representatives using their iPhones.
A zero-click hack attack
What makes this latest attack particularly dangerous is its exploitation of zero-click vulnerabilities, meaning targets don’t even need to read or open the iMessage carrying the hack. Amnesty says all iPhones and iOS updates are vulnerable to the exploit, which gives attackers “complete access to the device’s messages, emails, media, microphone, camera, calls and contacts.”
“Apple prides itself on its security and privacy features, but NSO Group has ripped these apart,” Danna Ingleton, deputy director of Amnesty Tech, said in a statement. “Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised.
Bill Marczak, a research fellow at academic research lab Citizen Lab, has found evidence to suggest NSO Group continues to develop its spyware product. He calls this a “MAJOR blinking red five-alarm-fire problem with iMessage security.”
You can read Amnesty’s full technical details concerning its investigation into the exploit here.
Who is under attack?
Amnesty has identified at least 180 journalists in 20 nations who were targeted, including in Azerbaijan, Hungary, India and Morocco. The list even includes the editor of the Financial Times.
The report also claims to have found evidence that Pegasus was used by Saudi operatives to target family members of murdered Saudi journalist Jamal Khashoggi. NSO Group denies this, though it is unclear how it would know this for certain, given it also claims to have no access to the data of its customer’s targets.
It says its own internal investigation confirmed its tech wasn’t used against Khashoggi. I suppose it comes down to how deeply you trust a private company that sells surveillance as a service.
Who do you trust?
Amnesty doesn’t think much of the rebuttal. “NSO claims its spyware is undetectable and only used for legitimate criminal investigations,” said Etienne Maynier, a technologist at Amnesty International’s Security Lab. “We have now provided irrefutable evidence of this ludicrous falsehood.”
“The number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media,” said Agnès Callamard, secretary general of Amnesty International. “It is about controlling public narrative, resisting scrutiny, and suppressing any dissenting voice.”
As you might expect, Apple has responded to the news. Security engineering chief Ivan Krstić said in a statement: “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.”
Apple’s privacy war needs you
All of this is true, of course. Apple continues to improve security across all its platforms and its position on privacy is crystal clear — it wants privacy baked in across its ecosystem.
Apple CEO Tim Cook warned in 2018:
“We see vividly—painfully—how technology can harm rather than help. Platforms and algorithms that promised to improve our lives can actually magnify our worst human tendencies. Rogue actors and even governments have taken advantage of user trust to deepen divisions, incite violence, and even undermine our shared sense of what is true and what is false.”
Despite Apple’s work, the latest revelations show that well-financed state actors of various stripes can find ways through its walls. But as fresh attacks are identified the company seems to do a reasonable job of blocking them.
Meanwhile, repressive governments in a multitude of hues continue to try to force tech firms to create security back doors in their products. There are clear arguments against this: human rights and democratic dialogue will erode while significant financial, ransomware, and infrastructure attacks would be enabled as information on those designed-in vulnerabilities inevitably spreads.
NSO Group is an interesting illustration of this. The company invests in identifying vulnerabilities that it should, as a responsible entity, disclose. Instead, it uses these to undermine platform security, then sells those tools to international clients at a profit with what seems to be minimal oversight.
I see this as a triumph for surveillance capitalism. The company argues that it only deals with “legitimate” government agencies and “firmly denies” Amnesty’s recent claims.
However, in the wake of the Snowden revelations and the socially corrosive impact of abuse of social media in the form of Cambridge Analytica and others, alongside the rapid expansion of the entire ‘surveillance as an unregulated private service’ industry, one can’t help but wonder what constitutes a “legitimate” government agency?
And what happens when government’s change?
Amnesty International’s Callamard instead says: “The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril.”
We need to take back control
In statements that should be a chilling echo for privacy advocates, she adds: “These revelations must act as a catalyst for change. The surveillance industry must no longer be afforded a laissez-faire approach from governments with a vested interest in using this technology to commit human rights violations.”
Apple seems to agree. Apple’s Craig Federighi, senior vice president for software engineering, has said: “Never before has the right to privacy — the right to keep personal data under your own control — been under assault like it is today. As external threats to privacy continue to evolve, our work to counter them must, too.”
Tools such as those sold at a profit by NSO will enable more criminal and terrorist activity than they prevent.
The battle to secure the internet and to protect users and their privacy has never seemed so critical, particularly as wider society handles the twin threats of pandemic and climate change.
Copyright © 2021 IDG Communications, Inc.