Hackers load spyware on fully patched iPhones, showing no-one is safe

There is the widespread belief that not only are iPhones safer from hackers than Android handsets, but that they are completely safe and unhackable.

Every year at Pwn2Own this idea is proven wrong, but these hacks are usually in laboratory settings and not in the wild.

There has however been an increasing rise in politically motivated state-sponsored hacks, and these hackers are increasingly demonstrating no smartphone is immune from malware, and that some level of paranoia is necessary for smartphone users on any platform.

In a developing story, a large number of journalists and activists had their iPhones hacked by the Pegasus spyware, developed by Israeli hackers NSO Group.

Pegasus is delivered in a zero-click attack by a silent iMessage message, and once in place it can collect emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings and browsing histories. It can even activate cameras or microphones, and listen to calls and voice mails. It can also collect location logs of where a user has been and also determine where that user is now, along with data indicating whether the person is stationary or, if moving, in which direction.

NSO Group may have targetted 50,000 people, going by a list liberated from the company. The hack is effective even against the latest iPhones, with hackers apparently able to bypass Apple’s latest security updates over the course of a number of years, challenging the company’s reputation for security and privacy.

An investigation by Amnesty’s Security Lab of 67 smartphones found 23/34 iPhones were successfully infected, while only 3/15 Android devices were infected (though evidence maybe better hidden on those devices).

Ivan Krsti, head of Apple Security Engineering and Architecture, defended his company’s security efforts.

“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” he said in a statement. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Reports of hacks to iPhones have grown in recent years however as security researchers have discovered evidence that attackers had found vulnerabilities in such widely used iPhone apps as iMessage, Apple Music, Apple Photos, FaceTime and the Safari browser, with iMessage playing a role in 13 of the 23 successful infiltrations of iPhones.

“They can’t make iMessage safe,” said Matthew Green, a security and cryptology professor at Johns Hopkins University. “I’m not saying it can’t be fixed, but it’s pretty bad.”

“Your iPhone, and a billion other Apple devices out-of-the-box, automatically run famously insecure software to preview iMessages, whether you trust the sender or not,” said security researcher Bill Marczak, a fellow at Citizen Lab, a research institute based at the University of Toronto’s Munk School of Global Affairs & Public Policy. “Any Computer Security 101 student could spot the flaw here.”

Apple says it severely restrict the code that an iMessage can run on a device and that it has protections against malware arriving in this way. Other messaging apps request approval before displaying messages from strangers, but since iMessage replaces SMS, which is an open protocol, this is impractical. Apple would not comment on restricting messages from senders not in a person’s address book.

Some security researchers have said Apple’s sandbox actually makes iPhones more unsafe, since it is impossible for 3rd party malware scanning apps to fully scan iPhones. What is however clearly true is that reality has proven that despite their marketing, Apple has mainly been good at offering a false sense of security.

via The Washington Post