Apple has come under pressure to collaborate with its Silicon Valley rivals to fend off the common threat of surveillance technology after a report alleged that NSO Group’s Pegasus spyware was used to target journalists and human rights activists.
Amnesty International, which analyzed dozens of smartphones targeted by clients of NSO, said Apple’s marketing claims about its devices’ superior security and privacy had been “ripped apart” by the discovery of vulnerabilities in even the most recent versions of its iPhones and iOS software.
“Thousands of iPhones have potentially been compromised,” said Danna Ingleton, deputy director of Amnesty’s tech unit. “This is a global concern—anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.”
Security researchers said Apple could do more to tackle the problem by working with other tech companies to share details about vulnerabilities and vet their software updates.
“Apple unfortunately does a poor job at that collaboration,” said Aaron Cockerill, chief strategy officer at Lookout, a mobile security provider. He described iOS as a “black box” compared with Google’s Android, where he said it was “much easier to identify malicious behavior.”
Amnesty worked with the journalism nonprofit group Forbidden Stories and 17 media partners on the “Pegasus Project” to identify alleged targets of surveillance.
NSO, which has said its technology was designed to target only criminal or terrorist suspects, described the Pegasus Project’s claims as “false allegations” and “full of wrong assumptions and uncorroborated theories.”
Amnesty’s research found that several attempts to steal data and eavesdrop on iPhones had been made through Apple’s iMessage using so-called zero-click attacks, which do not require the user to open a link.
Bill Marczak, research fellow at Citizen Lab, a nonprofit group that has extensively documented NSO’s tactics, said Amnesty’s findings suggested that Apple had a “major blinking red five-alarm-fire problem with iMessage security.”
A similar kind of zero-click Pegasus attack was identified using Facebook-owned WhatsApp messenger in 2019.
Will Cathcart, head of WhatsApp, called the latest disclosures a “wake-up call for security on the Internet.” In a series of tweets, he pointed to steps taken by tech companies including Google, Microsoft, and Cisco that have sought to push back against Pegasus and other commercial spyware tools.
But Apple, with whom Facebook has a long-running feud over the iPhone’s privacy controls, was absent from his list of collaborators.
“We need more companies, and, critically, governments, to take steps to hold NSO Group accountable,” Cathcart said.
While Apple does “a great job protecting consumers,” said Lookout’s Cockerill, it “should be more collaborative with firms like my own” to protect against attacks such as Pegasus.
“The big difference between Apple and Google is transparency,” Cockerill said.
Apple insisted that it did collaborate with external security researchers but chose not to publicize the activities, which included paying out millions of dollars a year in “security bounty” rewards for spotting vulnerabilities and providing its hardware to researchers.
“For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” Apple said in a statement.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals,” Apple continued. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”