1. Comment
  2. Comment
July 23, 2021

How Pegasus damages Apple’s security credentials

By GlobalData Thematic Research

Pegasus has highlighted the vulnerability of mobile devices, especially iPhones. Apple has always prided itself on being more secure than its competitors, requiring stricter permissions before third parties can handle customers’ data. However, the recent investigation into the Pegasus spyware exposed vulnerabilities in the company’s software and highlighted the need to make iOS more transparent.

An investigation by 17 media organisations into a massive data leak suggests widespread abuse of NSO Group’s hacking software by government customers. The military-grade spyware developed by the Israeli company has allegedly been used to hack 37 reporters, activists, executives, and two women close to murdered Saudi journalist Jamal Khashoggi. NSO says its software is intended only for use against terrorists and criminals.

Amnesty International and Forbidden Stories found that NSO’s spyware has successfully infected even the most recent generation of iPhones and Apple’s iOS software and that “thousands of iPhones have potentially been compromised.”

In particular, the NSO’s spyware targeted Apple’s iMessage service and used zero-click exploits, which do not require the user to open a link or attachment. Receiving a message is enough to be infected by the malware. Apple has come under pressure to tackle the issue by working with other tech companies to share details about its vulnerabilities. However, the company has dismissed the critics, claiming that it is keeping pace with the surveillance tools used to attack its phones.

Pegasus showed that iMessage is at the core of Apple’s weakness

iMessage is one of Apple’s most popular services but also a vulnerable point. Its security was recently boosted with a feature called BlastDoor, which screens and isolates suspect messages before they can retrieve user data or damage the core OS. BlastDoor has clearly failed against Pegasus, though Apple argues that security is a dynamic field and that its BlastDoor is not the end of its efforts to secure iMessage.

According to a ZDNet report, BlastDoor was developed by Apple after several security researchers pointed out that the iMessage service poorly protected incoming user data. In recent years, there have been numerous instances where both researchers and hackers have exploited bugs in iMessage to take remote control of an iPhone.

A lack of collaboration plays into the hackers’ hands

While Pegasus can attack both Android and iOS, 34 of the 37 phones examined as part of the investigation were iPhones. Apple’s iPhone is the most popular mobile device within the specific demographic targeted by NSO’s customers, i.e., journalists, politicians, and activists.

In addition, Apple’s iOS has been criticized for operating like a “black box” compared with Google’s Android. This makes Apple devices safe but harder to protect in case of attacks, as it is more difficult to identify malicious behaviour than with Google’s Android. Experts mention the opacity of Apple’s iPhone as especially detrimental to its security: The Guardian reported that security researchers themselves find it very difficult to understand the iPhone’s inner workings and if and how the device has been hacked.

Apple has also been criticized for its unwillingness to cooperate with other companies and researchers to improve security and protect against surveillance tools such as Pegasus.

In 2019 WhatsApp sued NSO, claiming Pegasus was used to hack users of WhatsApp’s encrypted chat service. Surprisingly, there’s never been any collaboration between Apple and Facebook to push back on Pegasus and other spyware tools. Quite the opposite. The two companies have even geared up for battle over data privacy and security.