The shadowy world of privately owned spyware has long alarmed cybersecurity circles, as authoritarian governments have repeatedly been caught attacking the smartphones of activists, journalists and political rivals with malware bought from unscrupulous brokers. The surveillance tools these companies provide often target iOS and Android, which seem unable to keep up with the threat. But a new report suggests the magnitude of the problem is far greater than feared — and has put additional pressure on mobile tech makers, especially Apple, from security researchers looking for solutions.
This week, an international group of investigators and journalists from Amnesty International, Forbidden Stories and more than a dozen other organizations released forensic evidence that a number of governments worldwide — including Hungary, India, Mexico, Morocco, Saudi Arabia and the United Arab Emirates Emirates — possibly customers of the notorious Israeli spyware vendor NSO Group. The researchers examined a leaked list of 50,000 phone numbers of activists, journalists, executives and politicians who were all potential surveillance targets. They also specifically looked at 37 devices infected with, or targeted by, NSO’s invasive Pegasus spyware. They have even created a tool that allows you to check if your iPhone has been hacked.
NSO Group called the investigation “false allegations by a consortium of media” on Tuesday in a forcefully worded denial. A spokesperson for NSO Group said: “The list is not a list of Pegasus targets or potential targets. The numbers in the list are in no way related to the NSO Group. Any claim that any name in the list is necessarily related to a Pegasus target or potential target is false and false.” NSO Groep said on Wednesday it would no longer respond to questions from the media.
NSO Group is not the only supplier of spyware, but it does have the highest profile. WhatsApp sued the company in 2019 for attacks on more than 1,000 of its users. And Apple’s BlastDoor feature, introduced in iOS 14 earlier this year, was an attempt to shut down “zero-click exploits,” attacks that don’t require victims’ taps or downloads. The protection does not appear to have worked as well as intended; the company released a patch for iOS on Tuesday to address the latest round of alleged hacking by the NSO Group.
In light of the report, many security researchers say both Apple and Google can and should do more to protect their users from these advanced surveillance tools.
“It certainly presents challenges in general today with mobile device security and research capabilities,” said independent researcher Cedric Owens. “I also think that seeing both Android and iOS zero-click infections by NSO shows that motivated and well-equipped attackers can still be successful, despite the amount of control Apple applies to its products and ecosystem.”
There have long been tensions between Apple and the security community over the limits on investigators’ ability to conduct forensics on iOS devices and deploy monitoring tools. More access to the operating system could potentially help catch more attacks in real time, giving researchers a better understanding of how those attacks were built in the first place. For now, security researchers rely on a small set of indicators within iOS, plus the occasional jailbreak. And while Android is more open by nature, it also puts limits on what’s known as “observability.” Effectively fighting high-value spyware like Pegasus, some researchers say, would require access to a device’s file system, the ability to examine which processes are running, access to system logs, and other telemetry.
In this regard, Apple has been criticized for having provided stronger security protections for its users in the past than the fragmented Android ecosystem.
“The truth is that we hold Apple to a higher standard precisely because they do it so much better,” said Juan Andres Guerrero-Saade, SentinelOne’s lead researcher. “Android is a free-for-all. I don’t think anyone expects Android security to improve to a point where we just need to worry about targeted attacks with zero-day exploits.”
In fact, the Amnesty International researchers say they actually had an easier time finding and investigating indicators of compromise on Apple devices targeting Pegasus malware than on stock Android devices.
“In Amnesty International’s experience, there are significantly more forensic traces accessible to investigators on Apple iOS devices than on standard Android devices, so our methodology focuses on the former,” the group wrote in a comprehensive technical analysis of its findings. Pegasus. “As a result, the most recent cases of confirmed Pegasus infections have involved iPhones.”
Part of the focus on Apple also stems from the company’s own emphasis on privacy and security in its product design and marketing.
“Apple is trying, but the problem is they aren’t trying as hard as their reputation would imply,” said Johns Hopkins University cryptographer Matthew Green.
Even with its more open approach, however, Google has faced similar criticism over the visibility security researchers can get into its mobile operating system.
“Android and iOS have different types of logs. It’s really hard to compare them,” said Zuk Avraham, CEO of the analytics group ZecOps and a big proponent of access to mobile system information. “Everyone has an advantage, but both are equally not enough and allow threat actors to hide.”
However, Apple and Google both seem hesitant to reveal more of the digital forensic sausage making. And while most independent security researchers are advocating for the shift, some also recognize that better access to systems telemetry would also help bad actors.
“While we understand that persistent logs would be more useful for forensic use, as described by Amnesty International’s investigators, they would also be useful to attackers,” a Google spokesperson said in a statement to WIRED. “We are constantly balancing these different needs.”
Ivan Krstić, chief of Apple Security Engineering and Architecture, said in a statement that “Apple unequivocally condemns cyber-attacks against journalists, human rights activists and others who want to improve the world. As a result, security researchers agree that the iPhone is the safest, most secure consumer mobile device is on the market. Attacks like the attacks described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals, although that means they pose no threat For the vast majority of our users, we continue to work tirelessly to defend all of our customers and are constantly adding new protections for their devices and data.”
The trick is to strike the right balance between providing more system indicators without accidentally making attackers’ jobs too much easier. “There’s a lot that Apple could do in a very secure way to enable observation and imaging of iOS devices to catch this kind of bad behavior, but that doesn’t seem to be treated as a priority,” iOS security researcher said. Will Strafach. “I’m sure they have honest policy reasons for this, but it’s something I disagree with and would like to see changes in this mindset.”
Thomas Reed, director of Mac and mobile platforms at antivirus maker Malwarebytes, says he agrees that more insight into iOS would improve user protection. But he adds that allowing dedicated, trusted monitoring software comes with real risks. He points out that there are already suspicious and potentially unwanted programs on macOS that antivirus cannot completely remove because the operating system gives them this special type of system trust, possibly incorrectly. The same problem of rogue system analysis tools would almost inevitably crop up on iOS as well.
“We also continue to see malware from nation states on desktop systems being discovered after several years of undetected deployment,” Reed added. “And that’s on systems where many different security solutions are already available. Many eyes looking for this malware is better than few. I’m just concerned about what we’d have to trade for that visibility.”
The Pegasus Project, as the consortium of researchers calls the new findings, underscores the reality that Apple and Google are unlikely to solve the threat posed by private spyware vendors alone. The scale and scope of potential Pegasus targeting indicates that a global ban on proprietary spyware may be necessary.
“A moratorium on intrusion software trading is the bare minimum for a credible response — triage alone,” said NSA whistleblower Edward Snowden. tweeted Tuesday in response to the findings of the Pegasus Project. “Anything less and the problem gets worse.”
Amazon Web Services took its own step on Monday by closing the cloud infrastructure linked to NSO.
Whatever happens to NSO Group in particular, or the private surveillance market in general, user devices are still ultimately where clandestine targeted attacks from any source will take place. Even if Google and Apple can’t be expected to solve the problem themselves, they must continue to work on a better way forward.
This story originally appeared on wired.com.