Over the weekend, an explosive report from Amnesty International detailed targeted attacks towards target human rights activists, lawyers, and journalists using Apple’s iMessage system as a vector by which to deliver the zero-click attacks. In a new statement provided to the Washington Post, Apple defended its security practices and said it leads the industry in security innovation.
As we detailed earlier today, a report from Amnesty International interpreted device logs to reveal the scope of targeted malware attacks in active use. The report detailed that the Israeli firm NSO Group has sold multiple attacks known as ‘Pegasus’ over the years, adapting as Apple fixed each security bug. For instance, in 2019, there was a vulnerability in Apple Photos, followed by an iMessage zero-click, followed by Apple Music in 2020.
And fast forwarding to the present day, Amnesty believes Pegasus spyware is currently being delivered using a zero-click iMessage exploit that works against iPhone and iPad devices running iOS 14.6. The exploit also appeared to successfully work against iPhones running iOS 14.3 and iOS 14.4.
Today’s report from the Washington Post includes a comment from Ivan Krstić, head of Apple Security Engineering and Architecture. Krstić says that Apple “unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place.” He also notes that attacks such as the ones detailed by the Amnesty International report are incredibly sophisticated and are not a threat to the “overwhelming majority” of iPhone users.
The full statement is as follows:
“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
For more details on the active zero-click iMessage exploit being sold as Pegasus, check out our full coverage from this morning right here.