The dark world of private spyware has long been causing the alarm in cybersecurity circles, as authoritarian governments have been taken several times targeting the smartphones of activists, journalists and political rivals with malware bought from unscrupulous brokers. The monitoring tools provided by these companies frequently target iOS and Android, which apparently have not been able to cope with the threat. But a new report suggests the scale of the problem is much greater than expected and has put additional pressure on mobile tech makers, especially Apple, from security researchers seeking cures.
This week, an international group of researchers and journalists from Amnesty International, Forbidden Stories and more than a dozen other organizations published forensic evidence that a number of governments around the world, including Hungary, India, Mexico, Morocco, Saudi Arabia and the United Arab Emirates, could be clients of popular Israeli spyware vendor NSO Group. Researchers studied a leaked list of 50,000 phone numbers associated with activists, journalists, executives and politicians who were all potential surveillance targets. They also specifically examined 37 devices infected or targeted by NSO’s Pegasus invasive spyware. They even have created a tool so that you can check if your iPhone has been compromised.
NSO Group called the research “false allegations by a media consortium” in a firm denial on Tuesday. An NSO Group spokesperson said, “The list is not a list of Pegasus targets or potential targets. The figures in the list are in no way related to NSO Group. Any claim that a name in the list is necessarily related to a Pegasus target. or the potential target is wrong and wrong. On Wednesday, NSO Group said it would no longer respond to media inquiries.
NSO Group is not the only spyware vendor, but it has the highest profile. WhatsApp sued the company in 2019 on what it claims to be attacks against over a thousand of its users. And Apple’s BlastDoor function, introduced in iOS 14 earlier this year, was an attempt to cut “clickless exploits”, attacks that do not require support or download from victims. The protection does not seem to have worked as well as expected; the company released an iOS patch on Tuesday to address the latest round of suspected NSO hacks.
Faced with the report, many security researchers say Apple and Google can and should do more to protect their users from these sophisticated surveillance tools.
“This clearly shows the challenges in general with mobile device security and investigative capabilities these days,” says independent researcher Cedric Owens. “I also believe that the zero-click infections on Android and iOS by NSO show that motivated and resourced attackers can still be successful despite the degree of control Apple applies to its products and ecosystem.”
Tensions have long simmered between Apple and the security community over the limits of researchers’ ability to conduct forensic investigations on iOS devices and deploy surveillance tools. Increased access to the operating system would potentially help detect more attacks in real time, allowing researchers to better understand how these attacks were constructed in the first place. For now, security researchers rely on a small set of metrics in iOS, as well as the casual jailbreak. And while Android is more open by design, it also places limits on what’s known as “observability.” Some researchers believe that effectively combating high-caliber spyware like Pegasus would require things like access to read a device’s file system, the ability to examine running processes, access to system logs and other telemetry items.
Many critics have focused on Apple in this regard, as the company has historically offered stronger security protections to its users than the fragmented Android ecosystem.
“The truth is, we’re keeping Apple at a higher level precisely because they’re doing so much better,” says Juan Andres Guerrero-Saade, senior threat researcher at SentinelOne. “Android is free for everyone. I don’t think anyone expects Android’s security to improve to a point where all we have to worry about are targeted attacks with zero-day exploits.
In fact, Amnesty International researchers say they found it easier to find and investigate indicators of compromise on Apple devices targeted by the Pegasus malware than on those running Android.
“In Amnesty International’s experience, there are many more forensic evidence available to investigators on Apple iOS devices than on original Android devices, which is why our methodology focuses on the former. », Wrote the group in a long technical analysis of his discoveries on Pegasus. “As a result, the most recent cases of Pegasus confirmed infections have involved iPhones.”
Part of the focus on Apple also stems from the company’s focus on privacy and security in the design and marketing of its products.
“Apple tries, but the problem is, they don’t try as hard as their reputation would suggest,” says Matthew Green, Johns Hopkins University cryptographer.
Even with its more open approach, Google faces similar criticisms about the visibility security researchers can get in its mobile operating system.
“Android and iOS have different types of logs. It’s really hard to compare them, ”says Zuk Avraham, CEO of ZecOps Analytics Group and long-time advocate for access to information from mobile systems. “Each has an advantage, but they are also not sufficient and allow threat actors to hide.”
Apple and Google, however, seem reluctant to reveal more about the making of digital forensic sausages. And while most independent security researchers argue for this change, some also agree that increased access to system telemetry would help bad actors as well.
“While we understand that persistent logs would be more useful for forensic uses such as those described by Amnesty International researchers, they would also be useful for attackers,” a Google spokesperson said in a statement. at WIRED. “We are continually balancing these different needs. . “
Ivan Krstić, head of engineering and security architecture at Apple, said in a statement that “Apple unequivocally condemns cyberattacks against journalists, human rights activists and others who seek to render the world a better place. For more than a decade, Apple has been the industry leader in security innovation, and therefore security researchers agree that the iPhone is the most secure consumer mobile device. and the most secure on the market. Attacks like the ones described are very sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals. While this means that they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all of our customers, and we are constantly adding new protections for their devices and data.
The trick is to strike the right balance between offering more system metrics without inadvertently making it too easy for attackers to do their jobs. “There are a lot of things Apple could do in a very safe way to enable iOS device observation and imaging to detect this type of bad behavior, but it doesn’t seem to be being treated as a priority,” says the iOS security researcher. Will Strafach. “I’m sure they have political reasons for this, but it’s something I don’t agree with and would like to see changes in that way of thinking.”
Thomas Reed, director of Mac and mobile platforms at antivirus maker Malwarebytes, says he agrees that a better understanding of iOS would benefit user defenses. But he adds that allowing special and reliable monitoring software would come with real risks. It points out that there are already suspicious and potentially unwanted programs on macOS that the antivirus cannot completely remove because the operating system gives them this special kind of system trust, potentially by mistake. The same problem with malicious system scan tools would almost inevitably arise on iOS as well.
“We also see nation state malware all the time on desktop systems that are discovered after several years of undetected deployment,” Reed adds. “And that’s on systems where there are already a lot of different security solutions. better than a few. I’m just worried about what we would have to trade for this visibility. “
Project Pegasus, as the consortium of researchers calls the new findings, highlights the reality that Apple and Google are unlikely to solve the threat posed by private spyware vendors alone. The scale and scope of Pegasus’ potential targeting indicates that a global ban on private spyware may be necessary.
“A moratorium on the intrusion software trade is the bare minimum for a credible response – a simple triage,” Edward Snowden, NSA surveillance whistleblower. tweeted Tuesday in reaction to the findings of the Pegasus Project. “Anything less and the problem gets worse. “
Monday, Amazon Web Services took his own step by shutting down the cloud infrastructure linked to NSO.
Regardless of what happens to the NSO Group in particular, or the private surveillance market in general, users’ devices ultimately remain the place where covert targeted attacks from any source take place. While Google and Apple cannot be expected to solve the problem on their own, they must continue to work on a better way forward.
This story originally appeared on wired.com.