Apple has come under pressure to work more closely with its Silicon Valley rivals to defend the common threat of surveillance technology, following a report that said NSO Group’s Pegasus spyware was being used by journalists and activists to human rights.
Amnesty International, which has analyzed dozens of smartphones aimed at NSO customers, said Apple’s marketing claims about the superior security and privacy of its devices have been “ripped” by the discovery of vulnerabilities even in the latest versions of their iPhones and their iOS software.
“Thousands of iPhones have been potentially compromised,” said Danna Ingleton, deputy director of Amnesty’s technology unit. “This is a global concern – everyone and everyone is in danger, and even the tech giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.”
Security researchers say Apple could do more to address the problem by working with other technology companies to share details about vulnerabilities and check their software updates.
“Unfortunately Apple does a poor job at this collaboration,” said Aaron Cockerill, chief strategy officer of Lookout, a mobile security provider, which describes iOS as a “black box” compared to Google’s Android, where it is “much easier to identify malicious behaviors.”
Amnesty has worked with nonprofit journalism Forbidden stories and 17 media partners on the “Pegasus Project” to identify alleged surveillance targets.
NSO, which says its technology was designed solely to target criminal or terrorist suspects, described the Pegasus Project’s claims as “false accusations” and “full of misleading assumptions and unconfirmed theories.”
Amnesty research found that several attempts to steal data and listen to the iPhone were made through Apple’s iMessage with attacks called “zero-clicks,” which work without the user having to touch a link.
Bill Marczak, a research fellow at Citizen Lab, a nonprofit group that has documented many of NSO’s tactics, said Amnesty’s findings suggested that Apple had a “fire problem of 5 major red light alarms with the iMessage security “.
A similar type of “zero-click” Pegasus attack has been identified with Facebook-owned WhatsApp messenger in 2019.
Cathcart, head of WhatsApp, called the latest disclosures a “wake-up call for Internet security.” In a series of tweets, he pointed to steps by technology companies including Google, Microsoft and Cisco that have sought to push against Pegasus and other commercial spyware tools.
But Apple, with whom Facebook has a long-running dispute over iPhone privacy controls, was absent from its list of collaborators.
“We need more companies, and, critically, governments, to take steps to make NSO Group accountable,” Cathcart said. he said.
While Apple does “a great job of protecting consumers,” Lookout’s Cockerill said, “it should be more in partnership with companies like mine” to protect it from attacks like Pegasus.
“The big difference between Apple and Google is transparency,” Cockerill said.
Apple has insisted it has collaborated with external security researchers, but has chosen not to publicize the activity. That included paying millions of dollars a year in “security rewards” for recovering vulnerabilities and providing their hardware to researchers.
“For more than a decade, Apple has led the industry in security innovation and, as a result, security researchers have accepted that the iPhone is the safest and most secure mobile device on the market,” Apple said in a statement.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Apple continued. “While that means we are not a threat to the vast majority of our users, we continue to work tirelessly to defend all of our customers, and are constantly adding new protections to their devices and data.”