Human rights organizations, media, the European Union and governments were outraged Monday over revelations of global spying on activists and journalists using Israeli-designed Pegasus software NSO Group.
Introduced in a smartphone, this software allows you to retrieve messages, photos, contacts and even listen to calls … in short, to take full control, without the knowledge of its owner.
The investigation which reinforces the suspicions weighing long on this company, published Sunday by a consortium of 17 international media, is based on a list obtained by the network based in France Forbidden Stories (“prohibited stories”) and the NGO Amnesty International, with 50,000 phone numbers selected by NSO customers since 2016 for potential surveillance.
The list includes the numbers of at least 180 journalists, 600 politicians (including Emmanuel Macron), 85 human rights activists and 65 business leaders.
A “zero click” procedure
According to the consortium of journalists who worked on the case, the Pegasus spyware was able to easily infiltrate Apple’s iPhone devices. And this, despite the claims of the Apple brand, which has made safety and user confidence its priorities.
In particular: a “zero click” procedure, which does not require any action from the user (opening an email, clicking on a link …) and does not cause any display, sound, or other. How is it possible? The Pegasus software appears to have used flaws in some rare but known Apple applications.
Among them is the iMessage app – an improved texting app designed by and for Apple. Due to a security breach, it “allowed” the receipt of a “message” … which turned out to be NSO’s covert spyware.
The parasite was therefore able to access e-mails, recorded messages, accounts on social networks, contacts, photos, videos, and other audio recordings, etc.
That’s not all: in addition to the history of calls, messages but also internet browsing, Pegasus can also activate the microphone, the camera, and the GPS of the device.
Other iPhone apps like Apple Music or the Safari browser would also present such weaknesses. Apple says it corrected them.
A cat and mouse game
But the problem is the classic cat and mouse game between hackers and industrialists.
Quickly, the Israeli company NSO Group adapted to successive Apple fixes and used other services to open up breaches.
After Apple Photos, then iMessage, corrected by a security “patch”. Then there was Apple Music …
And according to Amnesty International’s cybersecurity report, the vulnerability still works on devices running iOS 14.6, 14.3 and 14.4.
A question of size
Security experts believe that the size of applications can be a problem: vulnerabilities are often the result of programming bugs. However, the more “heavy” an application is, the more it is likely to include lines of code … and therefore errors.
The Google Zero project had long documented at least one vulnerability in iMessage.
The previous “San Bernardino”
Apple has however always positioned itself as ultraprotective for its users – until refusing in 2016 to unlock a device used by one of the shooters of the San Bernardino massacre. The FBI took the time – several weeks – but still managed to unlock the device with the help of hackers from a specialized company.
Successive updates make it possible to strengthen security and “plug the holes”. Despite everything, as often with cybersecurity, more or less well-intentioned hackers manage to bypass these defenses.
A very closed system
This is the main criticism leveled at the apple brand: the full integration of its operating system allows it to control everything – security and the rest.
But it is also a source of strong opacity, and a mistrust of hackers who almost always achieve their goals. Especially those who have significant resources, like … NSO.
Android smartphones are also victims of such attacks. But the fact that the loopholes, their identification as well as their resolution, are public results in a faster and more transparent resolution of the problem.
Apple defends itself
Apple was slow to make, like its competitors, appeal to so-called “ethical” hackers, paid to identify and repair security vulnerabilities. She does now, and since 2019 claims to spend millions of dollars, “among the most important bonuses in the industry” she assures.
We have significantly enhanced the security of our iOS15 operating system and will continue to do so.
The fact remains that the brand communicates very little about this part of its activity. And that its teams dedicated to security work mainly in the shadows, depriving themselves of potentially beneficial external interventions.
But this is not the opinion of the brand: “We identify and repair the vast majority of potential vulnerabilities even before our products are in operation”, defends Apple to Radio France. “No company does better,” she insists.