Image: James Martin/CNET

The iPhone has always been lauded for its tight security and privacy controls, especially compared with Android devices. But that reputation took a hit this week with the revelation that a spyware program ostensibly used to hack into the phones of criminals and terrorists was abused by certain authoritarian governments to compromise the iPhones of journalists, activists and other prominent people.

SEE: How to migrate to a new iPad, iPhone, or Mac (TechRepublic Premium)

Amnesty International just announced the results of analysis conducted by it and journalist advocacy and media group Forbidden Stories. The findings indicated that the Pegasus spyware program sold by surveillance company NSO Group was able to infect iPhone 11 and iPhone 12 models through zero-click attacks in the iOS iMessage app.

Based on a data leak of more than 50,000 phone numbers, Amnesty’s Security Lab analyzed 67 smartphones and found Pegasus infections or attempted infections on 37 of them, according to The Washington Post.

Thousands of Android phone users had also been targeted, according to Amnesty. But in contrast to iOS, Google’s Android operating system doesn’t retain the usable logs needed to detect the Pegasus spyware infection. The iPhone 11 and 12 models were outfitted with the latest update, namely iOS 14.6 at the time, which was released on May 24, 2021.

Sold by NSO Group to governments, the Pegasus software is considered a form of mobile malware by security firm Lookout, and one that allows its operators to obtain GPS coordinates, text messages, photos, emails and encrypted chats from apps like WhatsApp and Signal. Pegasus is also able to record phone calls and turn on the microphone and camera without the user’s knowledge.

Since its discovery by Lookout and Citizen Lab in 2016, Pegasus has gotten smarter. The program can now run on a targeted device without requiring any interaction by the user. This means the operator of the spyware can send it directly to a phone through SMS, email, social media and certain types of apps.

Pegasus sounds like a serious threat to people who have been targeted by its operators. But how grave a danger is it to the security and privacy of the average iPhone owner?

On one side is the NSO Group, which has criticized the findings of Amnesty and Forbidden Stories. In an update on its website, the group said that the report is “full of wrong assumptions and uncorroborated theories,” adding that it denies the false allegations.

“We would like to emphasize that NSO sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts. NSO does not operate the system and has no visibility to the data.”

On another side is Apple, which has been put in the position of having to defend the security of its flagship phone and explain how its core messaging app could be vulnerable to this type of exploit. The following statement shared with TechRepublic and attributable to Apple Security Engineering and Architecture head Ivan Krstić walks the fine line of condemning the malicious use of Pegasus but painting the incident as one that wouldn’t affect the average person.

“Apple unequivocally condemns cyberattacks against journalists, human rights activists and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

However, Apple’s statement that it’s “constantly adding new protections” could be a sign that the company does see this as a security threat and may be working on a fix for a future update to iOS. At the very least, the company should be taking this seriously.

“It’s clear that the iOS iMessage service is a bit of a mess from a security perspective,” said Oliver Tavakoli, CTO at security firm Vectra. “Apple has added more and more functionality to it—and every piece of functionality comes with the potential for exploitable vulnerabilities. Also, the fact that iMessage does not distinguish how it handles inbound messages from known contacts versus perfect strangers opens phones up to exploitation from anywhere.”

And on yet another side are Amnesty International, Forbidden Stories and the news publications and analysts who see this as an alarming use and abuse of a specific technology but differ as to whether that tech was designed with malicious intent in mind.

“NSO Group has been suspected of selling its spyware to some of the world’s most oppressive governments and leaders,” said Paul Bischoff, privacy advocate for Comparitech. “NSO Group is in effect a weapons dealer, and there’s very few restrictions on to whom it can sell its weapons.”

But Brian Higgins, security specialist at Comparitech, believes that NSO Group does its best to control the deployment of its Pegasus software, adding that there will always be consumers who want to change the purpose of the product for their own ends.

In the meantime, mobile phone owners users sufficiently alarmed and enterprising enough can download and install a Mobile Verification Toolkit (MVT) created by Amnesty. Available from GitHub, MVT can analyze data from Android devices and records of backups from iPhones to look for potential signs of compromise.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday