Journalists' iPhones hacked as Apple no match for Pegasus spyware

Apple can’t protect against Israel’s NSO spyware: How the Pegasus surveillance tool hacked iPhones belonging to journalists and activists around the globe

  • Apple has long touted iPhone’s superior security features compared to Androids
  • A new report indicates even the most recent iPhones can fall victim to spyware
  • Of 37 phones either infected or attacked by Pegasus, all but three were iPhones
  • Vulnerabilities were found in iMessage, WhatsApp and Photo, among other locations 
  • Amnesty International said potentially thousands of iPhones were compromised 
  • Apple says Pegasus attacks ‘are not a threat to the overwhelming majority of our users’ 
  • It recently added BlastDoor, which isolates and ‘unpacks’ suspicious iMessages 

While Apple touts the security and privacy of its iPhones, shocking new evidence indicates malware deployed by authoritarian regimes around the world was easily able to overcome even the most current security defenses.

In a damning new report, Amnesty International and Paris-based Forbidden Stories, which publishes the work of threatened journalists, claim they found so-called ‘zero-click’ attacks running this month on a fully updated iPhone 12 running iOS 14.6, Apple’s most recent upgrade.

Unlike other forms of malware, zero-click attacks don’t require any interaction from the victim. 

The report found Pegasus, a spyware program developed by Israeli company NSO, on an unnamed Indian journalist’s iPhone XR this month running on iOS 14.6. 

The malware was also found this month on an activist’s iPhone X with the same upgrade.

‘These most recent discoveries indicate NSO Group’s customers are currently able to remotely compromise all recent iPhone models and versions of iOS,’ the report indicated, adding that ‘thousands of iPhones have potentially been compromised.’ 

Amnesty and Forbidden Stories say they have reported their findings to Apple, ‘who informed us they are investigating the matter.’

Scroll down for video 

A new report from Amnesty International and Forbidden Stories reveals iPhones are vulnerable to attacks by Pegasus spyware, which can be disguised in a text message from a contact and requires no interaction from the victim

In an independent review, Citizen Lab confirmed NSO’s Pegasus spyware was deployed on an iPhone 12 Pro Max running iOS 14.6.

It also identified zero-click iMessage attacks installing Pegasus on an iPhone SE2 phone running iOS 14.4 and an iPhone SE2 device running iOS 14.0.1, Bleeping Computer reported.

The Washington Post reports that an iPhone 11 belonging to Claude Mangin was among those compromised.

Mangin is the French wife of Naama Asfari, a Saharawi activist working for self-determination in Western Sahara who has spent 10 years jailed as a political prisoner in Morocco.

While Apple has long touted the iPhone’s superior security compared to Androids, 34 out of 37 phones that were infected with Pegasus were iPhones

The spyware attack ‘made no sound. It produced no image. It offered no warning of any kind as an iMessage from somebody she didn’t know delivered malware directly onto her phone — and past Apple’s security systems,’ the Post reported.

Mangin had believed using Apple smartphones would keep her safer from hackers, but Pegasus also showed up on an iPhone 6s she borrowed after learning her main phone was compromised.

The findings are a major blow to Apple’s reputation for superior security compared other smartphones.

According to the report, Amnesty’s Security Lab examined 67 smartphones whose numbers were among the 50,000 that appeared on the leaked list and found ‘evidence of Pegasus infections or attempts at infections’ in 37 of them.

Of those, all but three were iPhones—23 showed signs of a successful Pegasus infection and 11 showed signs of attempted infection.

While its not entirely clear how Pegasus conducts its ‘zero-click’ attacks, experts believe functions including Photos, WhatsApp, iMessage and Apple Music are vulnerable and can give the program access to victims’ location, videos and photos, messages, contact list and more

Amnesty investigators said the relatively little evidence of attempted ‘zero-click’ attacks on Android phones is mostly likely because Android’s records ‘are not comprehensive enough to store the information needed for conclusive results,’ the Post reported.    

In a statement to DailyMail.com, Apple said Pegasus attacks ‘are not a threat to the overwhelming majority of our users.’

‘For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,’ the company said. 

‘Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.’ 

Nevertheless  the firm promised to continue ‘to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.’ 

Apple recently boosted iMessage security with a feature called BlastDoor, which isolates and ‘unpacks’ suspicious messages before they can retrieve user data or damage the core operating system. 

BlastDoor was developed by Apple  ‘after several security researchers had pointed out in the past that the iMessage service was doing a poor job of sanitizing incoming user data,’ ZDNet reported, citing numerous instances in recent years where both researchers and hackers exploited bugs in iMessage to take remote control of an iPhone ‘just by sending a simple text, photo, or video to someone’s device.’        

‘We have seen Pegasus deployed through iMessage against Apple’s latest version of iOS, so it’s pretty clear that NSO can beat BlastDoor,’ Citizen Lab’s Bill Marczak told The Guardian. ‘Of course, developing security features is still important. Each new measure raises the cost to hack devices, which can price out less sophisticated attackers.’ 

Pegasus was found on iPhone 12s with iOS 14.6, the most recent upgrade. Its believed authoritative regimes are using the spyware to track journalists, activists and rival politicians

Other points of entry for Pegasus may be through WhatsApp, Apple Music and Photos, Apple Insider reported.

Processes called “bh” have been linked to Pegasus installations and evidence shows, in some cases, an Apple process for the Photos app called ‘mobileslideshow’ was used before a ‘bh’ process was deployed.   

Devices that are successfully hacked by Pegasus are effectively turned into 24-hour monitoring devices, allowing whoever sent the virus to keep constant tabs on them.

Hackers are given full access to all the phone’s data, including previous text messages and contact lists, along with stored audio, video and photo files.

They are able to take over the phone’s camera to record video, turn on the microphone to record audio, and can record any new calls made or received.

Hackers can even access the phone’s location data to see where the owner has been and potentially who they met with.

NSO Group, a private Israeli firm, maintains Pegasus is made available to law enforcement and military and intelligence agencies from countries with good human rights records in order to track terrorists and other criminals.

Apple recently boosted iMessage security with a feature called BlastDoor, which isolates and ‘unpacks’ suspicious messages before they can retrieve user data or damage the core operating system

But among the numbers on the list are journalists for media organizations around the world including Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El País, the Associated Press, Le Monde, Bloomberg, the Economist, Reuters and Voice of America.

The Washington Post said phone numbers also belonged to heads of state and prime ministers, members of Arab royal families, diplomats and politicians, as well as activists and business executives.

The list did not identify which clients had entered the numbers on it, but the report said many were clustered within 10 countries—Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.

In a response, NSO criticized the report as ‘full of wrong assumptions and uncorroborated theories.’

NSO criticized a new report by Amnesty International that its spyware program Pegasus was being used to track journalists and activists, calling it ‘full of wrong assumptions and uncorroborated theories’

‘Our technologies are being used every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones,’ the company said. 

‘Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.’ 

NSO stipulated it would nonetheless ‘continue to investigate all credible claims of misuse and take appropriate action.’

After a year of flight control system development and mechanical design and then 6 months build, we’re really happy to…

HOW DOES PEGASUS WORK?

Pegasus is a powerful piece of ‘malware’ – malicious computer software – developed by private Israeli security firm NSO Group.

This particular form of malware is known as ‘spyware’, meaning it is designed to gather data from an infected device without the owner’s knowledge and forward it on to a third party.

While most spyware is limited in scope – harvesting data only from specific parts of an infected system – Pegasus appears much more powerful, allowing its controller near-unlimited access to and control over an infected device.

This includes accessing contact lists, emails, and text messages, along with stored photos, videos and audio files.

Pegasus can also be used to take control of the phone’s camera or microphone to record video and audio, and can access GPS data to check where the phone’s owner has been.

And it can also be used to record any new incoming or outgoing phone calls. 

Early versions of the virus infected phones using crude ‘phishing’ attacks in which users are conned into downloading the virus on to their own phones by clicking on a malicious link sent via text or email.

But researchers say the software has become much more sophisticated, exploiting vulnerabilities in common phone apps to launch so-called ‘zero-click’ attacks which can infect devices without the user doing anything.

For example, in 2019 WhatsApp revealed that 1,400 people had been infected by NSO Group software using a so-called ‘zero day’ fault – a previously unknown error – in the call function of the app.

Users were infected when a call was placed via WhatsApp to their phones, whether they answered the call or not.

More recently NSO has begun exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones. 

Apple says it is continually updating its software to prevent such attacks, though human rights group Amnesty says it has uncovered successful attacks on even the most up-to-date iOS systems – carried out this month.

NSO Group says that Pegasus can also be installed on devices using wireless transceivers located near the target, or can be booted directly on to the device if it is stolen first.  

Source: Read Full Article