Journalists, lawyers, politicians, and human rights activists have all been targeted by NSO’s Pegasus software, and Apple has now said that it will send security alerts to customers whose devices may be been compromised. It has already done so for at least five Thai activists and researchers.
It follows Apple’s announcement yesterday that it is suing NSO for attacking iOS users …
Our NSO guide explains the background, but the tl;dr version is that the Israeli company makes Pegasus spyware to compromise iPhones, and sells it to governments – without being too picky about which ones.
NSO sells Pegasus only to governments, but its customers include countries with extremely poor human rights records – with political opponents and others targeted. A report by Amnesty International said that Pegasus was being used to mount zero-click attacks against human rights activists and other innocent targets.
Notifications for those targeted by NSO
Apple is now actively monitoring devices for signs that they have been compromised by Pegasus, and the company will use three different methods to notify those customers it believes may be affected.
A new support document explains.
Apple threat notifications are designed to inform and assist users who may have been targeted by state-sponsored attackers. These users are individually targeted because of who they are or what they do. Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent.
State-sponsored attacks are highly complex, cost millions of dollars to develop, and often have a short shelf life. The vast majority of users will never be targeted by such attacks.
If Apple discovers activity consistent with a state-sponsored attack, we notify the targeted users.
The company will notify users in three ways:
- An alert in the Apple ID site (seen above)
Apple warns that the ever-changing methods used means that it cannot guarantee to detect all attacks, and also that false alarms are possible. The company stresses that these notifications will never ask users to click on any links, nor install anything. Anyone wanting to verify that an alert is genuine should sign in to appleid.apple.com and check for an alert at the top of the page.
Finally, the company outlines the key security steps all users should follow to prevent more general attacks.
- Update devices to the latest software, as that includes the latest security fixes
- Protect devices with a passcode
- Use two-factor authentication and a strong password for Apple ID
- Install apps from the App Store
- Use strong and unique passwords online
- Don’t click on links or attachments from unknown senders
To that last one, I’d add don’t do this even if the sender is known unless you are actually expecting them to send you a link or attachment, as it is both easy and common to spoof sender addresses.