Apple’s iPhone Can Be Hacked by ‘Pegasus’ Spyware: Researchers

Image via The Guardian

In a series of tweets on Sunday, security analyst Bill Marczak warned Apple of the dangers of ‘Pegasus’, a piece of spyware created by Israeli cyber intelligence firm NSO Group that is capable of accessing, taking over, and extracting sensitive information from an iPhone without the user knowing or even doing anything to enable the infiltration (@billmarczak).

Pegasus is what’s known as a “zero-click” exploit — unlike other malicious programs that rely on dubious methods to trick the user into ‘letting them in’, Pegasus doesn’t need the user to do anything. With Pegasus, an attack can be successfully carried out with a mere iMessage text or WhatsApp call (even one the target doesn’t receive).

What makes Pegasus even more dangerous is that it is capable of finding and taking advantage of previously unknown zero-day vulnerabilities within iOS, and has more than just one or two avenues of attack.

Pegasus works by pushing malicious packets of data to a target device that force it into installing and deploying the spyware, no user interaction required. Once it has been deployed, Pegasus gains ‘root privileges’ to the device, giving it more access and authority than even the user.

Pegasus’s arsenal is frighteningly expansive. After successfully infiltrating a device, it can not only access and retrieve sensitive information like SMS messages, emails, messages from third-party communication apps like WhatsApp, images, videos, contacts, GPS data, and more, but also activate the microphone and camera, and even record calls.

The spyware has had confirmed involvement in a recent attack against journalists, as well as a previous attack against WhatsApp users.

Research teams at Amnesty Tech (@AmnestyTech) and Citizen Lab (@citizenlab) have independently confirmed that iOS 14.6, the latest publicly available firmware build for the iPhone, can be hacked into with a zero-click iMessage exploit using Pegasus.

In addition, both research teams also found instances of Pegasus attacks against iOS devices in the wild as recently as this month.

Apple’s BlastDoor Framework, introduced in iOS 14 to sure up iMessage security and deal with zero-click exploits like the previously rampant ImageIO vulnerability, is, unfortunately, powerless against Pegasus attacks.

“BlastDoor is a great step, to be sure, but it’s pretty lame to just slap sandboxing on iMessage and hope for the best,” said Marczak.

The whole situation is “a MAJOR blinking red five-alarm-fire problem” for Apple, warned the security expert. Apple has never been modest about its industry-leading device security, and customers that pay the iPhone maker a hefty premium for peace of mind are understandably not happy right now.

With another zero-day vulnerability that breaks Wi-Fi connectivity on iPhones currently making the rounds, it looks like Apple just can’t catch a break. Apple seems to have patched the Wi-Fi exploit in iOS 14.7 (which is currently in beta), but Pegasus remains a (gargantuan) threat.

Apple responded to the widespread reports of Pegasus breaking iPhone security by releasing the following statement to The Guardian:

“Apple unequivocally condemns cyber-attacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market.”

Apple added it continues to secure iMessage and its Blastdoor security feature (which screens messages for threats) is not the end of its security mission for the messaging service.

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” said Apple. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

P.S. - Like our news? Support the site with a coffee/beer. Or shop with our Amazon link. We use affiliate links when possible--thank you for supporting independent media.