iOS security researcher Will Strafach agrees with a recent claim that Apple can do more when it comes to combating NSO and others who exploit combat zero-day vulnerabilities in iOS.
It follows a report by Amnesty International that said that NSO spyware Pegasus was being used to mount zero-click attacks against human rights activists, lawyers, and journalists …
NSO Group makes spyware called Pegasus, which is sold to government and law enforcement agencies. The company purchases so-called zero-day vulnerabilities (ones that are unknown to Apple) from hackers, and its software is said to be capable of mounting zero-click exploits – where no user interaction is required by the target.
In particular, it’s reported that simply receiving a particular iMessage – without opening it or interacting with it in any way – can allow an iPhone to be compromised, with personal data exposed.
NSO sells Pegasus only to governments, but its customers include countries with extremely poor human rights records – with political opponents and others targeted.
Johns Hopkins cryptographer says Apple can do more
Johns Hopkins associate professor and cryptographer Matthew Green said earlier this week that there are two steps Apple can take to make such attacks more difficult.
Apple will have to re-write most of the iMessage codebase in some memory-safe language, along with many system libraries that handle data parsing. They’ll also need to widely deploy ARM mitigations like PAC and MTE in order to make exploitation harder […]
Apple already performs some remote telemetry to detect processes doing weird things. This kind of telemetry could be expanded as much as possible while not destroying user privacy.
Will Strafach agrees combating NSO needs more effort
Noted security researcher and iPhone jailbreaker Will Strafach agrees that Apple doesn’t appear to be doing enough. One issue is that iOS doesn’t provide security researchers with enough access to logs and other data which would help determine how such attacks work.
There is a lot that Apple could be doing in a very safe way to allow observation and imaging of iOS devices in order to catch this type of bad behavior, yet that does not seem to be treated as a priority,” says iOS security researcher Will Strafach. “I am sure they have fair policy reasons for this, but it’s something I don’t agree with and would love to see changes in this thinking.”
Apple hasn’t added to its original statement, condemning the spyware, saying it’s not a big threat but it continues to boost security.
Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.
FTC: We use income earning auto affiliate links. More.