Apple iPhones can be compromised and their sensitive data stolen through hacking software that doesn’t require the phone’s owner to click on a link, says Amnesty International. This comes in the wake of NSO Group’s Pegasus malware that infected devices of journalists and human rights lawyers across the world.
The international watchdog says this suggests that governments are using NSO Group software to successfully hack iPhones to spy on user data using methods unknown to Apple. While NSO claimed the tool was only to be used against criminals, a leaked list of potential targets revealed a number of journalists were also being monitored by NSO’s clients.
Amnesty International’s Security Lab shows off a number of traces that reveal a Pegasus attack was attempted on iPhones and other smartphones. It appears that NSO used vulnerabilities within Apple’s software to gain access. Reports highlight that the first category of attack is network injection, where users are mysteriously redirected from one legitimate website to another. Logs in Safari’s browsing history revealed suspicious URLs being visited, evidence of a redirect that occurred barely a second after opening a webpage. Favicon databases also showed evidence of similar redirects, though not necessarily via active browsing. In one case, the Safari View Service used when previewing a link shared in a journalist’s Twitter timeline prompted the webpage load and redirect to the suspicious URL, despite not opening a separate browser.
Amnesty International found evidence of a hack in an iPhone 12 running iOS 14.6, which was the most current software before Monday. According to CNBC, Apple updated its software to iOS 14.7 on Monday but has not yet released security details that could indicate whether it has fixed the exploits identified by the international watchdog. Amnesty obtained a leaked list of 50,000 phone numbers that may have been targeted by spy software made by the NSO Group.
Ivan Kristic, Apple’s head of security engineering and architecture, in a statement said Apple unequivocally condemns cyberattacks against journalists, human rights activists and others seeking to make the world a better place. “For over a decade, Apple has led the industry in security innovation and as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” Kristic said. “Attacks like the one described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers and we are constantly adding new protections for their devices and data.”
Apple has made security and privacy one of its key marketing strategies, arguing its control of the operating system, and the hardware that powers it, allows Apple to deliver a higher level of security and privacy than devices made by rivals.