It is one of the technological battles of the 21st century – in which every mobile phone user has a stake.
In one corner, Apple, which has more than a billion active iPhones being used across the world. In the other, companies such as Israel’s NSO Group, developing spyware designed to defeat the most sophisticated security and privacy measures.
And while Apple says it is keeping pace with surveillance tools that are used to attack its phones – it boasts of creating “the most secure consumer platform in the world” – research undertaken as part of the Pegasus project paints a more worrying picture.
The malware, it appears, has been one step ahead.
That, at least, is the conclusion of new technical research by Amnesty International, which suggests that even the most up-to-date iPhones running the latest operating system have still been penetrated by NSO Group’s Pegasus spyware.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
This has led to some people’s mobiles being turned into portable surveillance devices, giving complete access to numbers, text messages, photos. Everything.
The disclosure points to a problem security researchers have been warning about for years: that despite its reputation for building what is seen by millions of customers as a secure product, some believe Apple’s closed culture and fear of negative press have harmed its ability to provide security for those targeted by governments and criminals.
“Apple’s self-assured hubris is just unparalleled,” said Patrick Wardle, a former NSA employee and founder of the Mac security developer Objective-See. “They basically believe that their way is the best way. And to be fair … the iPhone has had incredible success.
“But you talk to any external security researcher, they’re probably not going to have a lot of great things to say about Apple. Whereas if you talk to security researchers in dealing with, say, Microsoft, they’ve said: ‘We’re gonna put our ego aside, and ultimately realise that the security researchers are reporting vulnerabilities that at the end of the day are benefiting our users, because we’re able to patch them.’ I don’t think Apple has that same mindset.”
The concern about the vulnerability of mobile devices is one aspect highlighted by the Pegasus project, a collaborative journalism investigation coordinated by Forbidden Stories.
With the technical support of Amnesty International, the project has investigated a leaked list of tens of thousands of mobile phone numbers – linked to both Apple and Android handsets.
While it was only possible to test a fraction of the phones that were listed for potential surveillance, the scale of what appears to have been a pool of possible targets suggests that customers of the world’s most sophisticated spyware company have not been deterred by security advances made by companies such as Apple.
Most experts agree that the iPhone’s greatest vulnerability is also one of its most popular features: iMessage, which Apple announced earlier this year it had sought to bolster. One method the company has used is to create a feature called BlastDoor, which screens suspect messages before they delve too deeply into a phone.
But even those advances have not kept iPhone users safe.
“We have seen Pegasus deployed through iMessage against Apple’s latest version of iOS, so it’s pretty clear that NSO can beat BlastDoor,” said Bill Marczak, a fellow at Citizen Lab, a cybersecurity analysts’ unit based at the University of Toronto. “Of course, developing security features is still important. Each new measure raises the cost to hack devices, which can price out less sophisticated attackers.”
According to Wardle, the security features that Apple boasts about are a double-edged sword. “iMessage is end-to-end encrypted, which means that nobody is going to see you throwing that exploit. From the attacker’s point of view, that’s lovely,” he said.
A similar problem exists on the device: unlike a Mac, or an Android phone, security researchers are denied the ability to see what their devices are actually doing.
“Once an attacker is inside, they, he or she can almost leverage the device’s security against the user,” Wardle said. “So, for example, I have no idea if my iPhone is hacked. My Mac computer on the other hand, I would say, yes, it’s an easier target, but I can look at a list of running processes, I have a firewall product that I can ask what is allowed to talk to the internet.”
That opacity may even undercut Apple’s claim that attacks “often have a short shelf life”. Because researchers find it very difficult to examine the inner workings of an iPhone, “unless the attacker is very unlucky, that implant is going to remain on the device, likely undetected”, Wardle said.
Claudio Guarnieri, the head of Amnesty’s Security Lab, said there was “no doubt” that NSO spyware could infect the most recent version of iOS. While Apple had done a lot of work to improve security, he said, it was natural the company would always fall behind thousands of attackers who were “always a step ahead”.
“There’s always going to be someone who is very talented out there, motivated by the high remuneration they get from finding these [security] issues, working in all possible ways to bypass and find workarounds to these mitigations,” Guarnieri said.
Another Citizen Lab researcher, John Scott-Railton, said it was important for companies such as Apple to defend against threats by “constantly tracking them” and anticipating what might come next. “If you don’t do that, you can’t really build a secure product, because as much as you talk about what potential threats exist against your platform, lots of clever people will find threats that you don’t know [about],” he said.
Even as Apple’s peers in the tech industry have begun to cry foul on advances by companies such as NSO, and have claimed they pose a grave threat to cybersecurity, Apple has largely stayed out of the fray. In a recent court submission filed in support of WhatsApp, the messaging app that is suing NSO Group in California, companies from Microsoft to Cisco created a coalition and filed a statement saying NSO made ordinary people less safe. Apple did not join the submission.
The partners in the Pegasus project put a series of questions to Apple.
In a statement, the iPhone maker said: “Apple unequivocally condemns cyber-attacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market.”
Apple also said that security was a dynamic field and that its BlastDoor was not the end of its efforts to secure iMessage.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” it said. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
The Washington Post reporter Craig Timberg contributed to this report.
