“We identify and fix the vast majority of potential vulnerabilities before our products are even operational. No company does better ”. This is how Apple describes its work on iPhone security.
Are Apple’s security engineers lacking in humility? One would tend to believe it when discovering the new revelations of Project Pegasus.
According to the survey initiated by Forbidden Stories and conducted with 16 partners, the iPhone would not be as secure as Apple suggests.
On June 11, Claude Mangin, wife of an activist imprisoned in Morocco, received a message on iMessage, the iPhone messaging service. No ringing, nothing on the screen. Nothing that could not indicate the presence of this famous message.
And yet, the latter allowed the Israeli company NSO infiltrate your iPhone with the Pegasus software reveals an expertise carried out by Amnesty International’s Security Lab. From then on, NSO had access to messages, emails, publications, photos, videos, movements of the user, in short all the content of Claude Mangin’s iPhone. All this without any manipulation by the owner of the device. A “zero click” procedure, we say in the jargon.
In order to be able to infiltrate this iPhone, Pegasus exploited flaws in certain Apple applications, more particularly Safari, Apple Music, Photos or even iMessage. A shame for a company praising the high level of security of its phones.
The worm is in the Apple
One could assume that the security claims sounded a bit too “bisounoursian”. The company has suffered some setbacks in the past.
The most publicized case is undoubtedly that of the massacre of San Bernardino. At the time, Apple refused to give the FBI access to an iPhone 5 used by one of the perpetrators of the massacre. The company argued while the security of personal data was its number one priority. The FBI then ended up unlocking the iPhone 5 in question by providing the services of an Australian company specializing in cybersecurity. Not so secure the iPhone?
Obviously not that much. As part of its Project Zero (project aimed at identifying the vulnerabilities of all connected objects), Google had already sounded the alarm on the iMessage case.
According to several other security experts, Apple’s messaging service poses a real problem for user data. The messaging service gains in functionality every year, and each line of code can represent a loophole that hackers can step into.
In addition, the pace at which updates are deployed prevents security experts from doing their job in depth. And Apple is not among the companies that use ethical hackers the most to identify security vulnerabilities, quite the contrary.
As reported by France Culture, Apple’s security manager Ivan Krstic started using this method only in 2016. Then the program was interrupted because Apple was not paying enough for the work of these ethical hackers. Apple explains that the situation has changed since 2019. The company explains:
We pay some of the largest bonuses in the industry. We have quadrupled our budget since 2019, and we have already paid millions of dollars this year.
Denial of big stress
Faced with the evidence, Apple persists. “We have significantly enhanced the security of our iOS 15 operating system and will continue to do so” insists the company.
This is because Apple improves the security of its devices over time. Blastdoor has been added to prevent spyware from entering iMessage. Watchdog monitors iPhone operation for suspicious activity. Yet neither of these two barriers has prevented NSO from doing its work.
If at Apple we say that all is well, the facts indicate the opposite. Former employees say that Apple has set up a system of codes to prioritize the correction of vulnerabilities: in red those already exploited by hackers, in orange those not yet detected. In this last case, it sometimes takes months for Apple to correct these flaws. Denial you say?