How does Apple technology hold up against NSO spyware?

Guardian Technology 19 Jul 2021 11:00

It is one of the technological battles of the 21st century – in which every mobile phone user has a stake.

In one corner, Apple, which has more than a billion active iPhones being used across the world. In the other, companies such as Israel’s NSO Group, developing spyware designed to defeat the most sophisticated security and privacy measures.

And while Apple says it is keeping pace with surveillance tools that are used to attack its phones – it boasts of creating “the most secure consumer platform in the world” – research undertaken as part of the Pegasus project paints a more worrying picture.

The malware, it appears, has been one step ahead.

That, at least, is the conclusion of new technical research by Amnesty International, which suggests that even the most up-to-date iPhones running the latest operating system have still been penetrated by NSO Group’s Pegasus spyware.

Quick Guide

What is in the Pegasus project data?


What is in the data leak?

The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.

The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.

Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

Which NSO clients were selecting numbers?

What does NSO Group say?

What is HLR lookup data?

The disclosure points to a problem security researchers have been warning about for years: that despite its reputation for building what is seen by millions of customers as a secure product, some believe Apple’s closed culture and fear of negative press have harmed its ability to provide security for those targeted by governments and criminals.

“But you talk to any external security researcher, they’re probably not going to have a lot of great things to say about Apple. Whereas if you talk to security researchers in dealing with, say, Microsoft, they’ve said: ‘We’re gonna put our ego aside, and ultimately realise that the security researchers are reporting vulnerabilities that at the end of the day are benefiting our users, because we’re able to patch them.’ I don’t think Apple has that same mindset.”

Pegasus: the spyware technology that threatens democracy – video

While it was only possible to test a fraction of the phones that were listed for potential surveillance, the scale of what appears to have been a pool of possible targets suggests that customers of the world’s most sophisticated spyware company have not been deterred by security advances made by companies such as Apple.

But even those advances have not kept iPhone users safe.

A similar problem exists on the device: unlike a Mac, or an Android phone, security researchers are denied the ability to see what their devices are actually doing.

That opacity may even undercut Apple’s claim that attacks “often have a short shelf life”. Because researchers find it very difficult to examine the inner workings of an iPhone, “unless the attacker is very unlucky, that implant is going to remain on the device, likely undetected”, Wardle said.

Another Citizen Lab researcher, John Scott-Railton, said it was important for companies such as Apple to defend against threats by “constantly tracking them” and anticipating what might come next. “If you don’t do that, you can’t really build a secure product, because as much as you talk about what potential threats exist against your platform, lots of clever people will find threats that you don’t know [about],” he said.

The partners in the Pegasus project put a series of questions to Apple.

Apple also said that security was a dynamic field and that its BlastDoor was not the end of its efforts to secure iMessage.

The Washington Post reporter Craig Timberg contributed to this report.

Continue reading original article...


AppleNSO GroupPatrick WardleWardleForbidden Stories
You may also like