By Florian Reynaud

Posted today at 15:11, updated at 15:54

IPhone has enjoyed a reputation for high security for over a decade. And yet, no later than June 2021, an activist’s phone with the latest updates installed was infected with Pegasus spyware without her even realizing it. It is not an isolated case. According to Amnesty International’s technical findings, the iPhone of a human rights lawyer was also targeted in June 2021, still in the deepest secrecy.

If the spyware of the Israeli company NSO Group could have been so heavily used to violate human rights, as the investigations of the seventeen newsrooms participating in “Project Pegasus” demonstrate, it is because it cookie has for years been able to defeat the security of Apple phones. Hooking all the closed doors installed by the American manufacturer on its iPhones, Pegasus has found multiple ways to settle, against the will of its victims, to extract a host of personal and confidential information.

As soon as Pegasus was discovered by the Canadian Citizen Lab in 2016, Apple was forced to fix software vulnerabilities. At the time, researchers had uncovered flaws in the functioning of WebKit, its navigation tool used by Safari and most applications on iOS, flaws that had been quickly corrected by the manufacturer.

Five steps ahead of Apple

But NSO didn’t stop there and seems to have always stayed five moves ahead of Apple. In a new detailed technical report, Amnesty International mentions new security vulnerabilities used by Pegasus, some of which allow an iPhone to be hacked remotely without the victim having to click on a malicious link, and without being able to defend himself. “Apple unequivocally condemns cyber attacks targeting journalists, human rights activists, and all those who work for a better world”, reacted Ivan Krstic, one of the security managers at Apple.

A woman uses her iPhone outside the headquarters of the Israeli company NSO Group in Herzliya on August 28, 2016.

An observation that inevitably leads to questioning the safeguards installed by Apple, which has made the security of its devices a selling point with its customers: how to explain, then, that NSO was able to violate this security in a way also systematic?

Every piece of software is made up of thousands, if not tens of thousands, of lines of code written by humans that make mistakes without realizing it. The task is all the more difficult as, on a telephone, dozens of programs interact. This gives as many additional lines of code that hackers can scan for vulnerabilities.

You have 73.04% of this article left to read. The rest is for subscribers only.