iPhone spyware made by $1 billion surveillance company NSO has exposed “major” issues in Apple iMessage security, according to a security expert who has spent years researching the Israeli business’ hacks.
Reports from Amnesty International and Citizen Lab, following on from an alleged leak of data on 50,000 potential targets of NSO’s Pegasus spy tool, claimed that they had both seen a so-called “zero-click” attack exploiting numerous vulnerabilities in a fully-patched iPhone 12 Pro Max running iOS 14.6 in July 2021. That included hacks of iMessage.
Bill Marczak, researcher at Citizen Lab, told Forbes that in some cases Apple’s iOS will automatically run data within iMessages and attachments, even when they’re from strangers, which could put users at risk.
“That’s a recipe for disaster,” he said. “Apple should consider implementing something similar to what Twitter or Facebook have for their DMs, where messages from strangers are somewhat hidden, and filtered into a separate pane by default.”
Right now, Marczak adds, this isn’t a problem for the average iPhone user, as the target list acquired by nonprofit organization Forbidden Stories mainly focused on people at high risk of government surveillance, from journalists like Financial Times editor Roula Khalaf to people close to murdered journalist Jamal Khashogghi. Heads of state were also reportedly on the potential target list. NSO has repeatedly been called out in the last five years after its tools were seen targeting Mexican lawyers, Saudi activists and journalists across the world, though it claims its software is used to help governments catch the most egregious criminals like terrorists and pedophiles.
“But if Apple doesn’t nip this in the bud, these sorts of zero-click iMessage attacks will inevitably proliferate to less-sophisticated hackers, such as cybercriminals,” Marczak warned. He’d previously tweeted that an Apple security mechanism called BlastDoor, designed to…