The message received on June 11 on the phone from Claude Mangin, the wife of an activist imprisoned in Morocco, made no noise. It didn’t show up anywhere. Nothing allowed him to understand that a malicious iMessage was sent to him, in a device which Apple boasts of the very high level of security.
>> The Pegasus project: spyware used by states to target politicians, journalists, lawyers … including French people
Once installed, the spyware from the Israeli company NSO activated. And although it was impossible to know precisely what was stolen from his phone, he could access emails, recorded messages, social media posts, contacts, photos, videos, recordings, view the history of internet consultations. He could also activate the microphone, the camera, and trace the route of his user. Know if it was static or moving, in which direction it was going, at what speed … The infection was spotted thanks to an expertise carried out by the Security Lab of Amnesty International, as part of the investigation initiated by Forbidden Stories with its 16 partners, including the investigation unit of Radio France.
It therefore appears that the iPhone, even its latest versions 11 and 12, and despite its high price, is not tamper-proof. Hackers exploit vulnerabilities in applications like iMessages, Apple Music, Apple Photo or the Safari browser. According to several security experts, iMessage is particularly problematic because it occupies more and more space, Apple having added new features, such as playing videos or playing games. However, each new line of code is an additional possibility of bugs. A gateway that NSO or other spyware can exploit. Google’s project Zero, which aims to identify vulnerabilities in connected devices, had already warned last year about the ease with which one can enter iMessage.
“Your iPhone, like many new Apple devices, uses an insecure passcode to process data sent to you over the internet”says IT security expert Bill Maczak of the University of Toronto’s Citizen Lab. “Any security student could see this is a problem.”
Apple had yet positioned itself as a hyper-protective brand of its users, especially in 2016, by refusing to give the FBI access to an iPhone 5 that had been used by one of the shooters of the San Bernadino massacre. The safety and trust of the user was his number one priority. But the apple brand suffered a setback as the FBI managed to unlock the phone using an Australian cybersecurity firm.
With each new generation of iPhone, Apple offers updates that make their devices more secure. Lapple mark recently introduced “BlastDoor”, a feature that is supposed to prevent iMessages from introducing spyware. She also created Watchdog, which monitors the functioning of the iPhone for any suspicious activity. Despite this, some experts consider that the brand does not sufficiently protect its products. According to a report from the Citizen Lab in Toronto, updates to IOS 14 managed to block NSO’s software for a time, but Pegasus ended up bypassing those defenses.
Another complaint made to Apple: to have closed itself to external collaborations that could help it better protect its devices. Officially, all is well, and according to former employees, talking about bugs internally would be almost taboo. “On this subject, we are given a bunch of ready-made answers that we repeat over and over”, we were told. Some detractors also criticize Apple for not attacking the most important hackers, who have large means and use very sophisticated technologies, such as NSO. “There are journalists who work on corruption, and candidates threatened by criminal gangs. If we do not provide them with the safe tools to do such a dangerous profession, our societies will not be better off.”, laments Adrizan Shahbaz, who heads the technology and democracy department at the House of Freedom in Washington. “NSO-type attacks cost millions to develop and often have a limited lifespan, because they are identified and remedies are found.”, assured us Apple on its side. “We have significantly enhanced the security of our iOS15 operating system, and we will continue to do so.”
Apple’s business model is based on the regular release of new models of the iPhone, its flagship product which generates 50% of its revenue. Each new version is equipped with an improved operating system with a dozen new features. But according to some employees, the release schedule for these models is shrinking. This leaves little time to check new devices for faults, resulting in a proliferation of bugs that hackers can exploit.
Unlike other competitors, Apple has also been slow to hire ethical paid hackers to identify security breaches. Apple’s chief security officer, Ivan Krstic, eventually resorted to it in 2016, but some researchers say the program was cut short because Apple was paying people who were supposed to work for months or even years too low. Since 2019, the situation would have changed. “We pay some of the largest bonuses in the industry”, assured us the brand, “We have quadrupled our budget since 2019, and we have already paid millions of dollars this year.”
When a bug is spotted, it is given a code name, says former employees. “Red” means that the vulnerability is already being exploited by hackers. And “orange”, that it has not yet been. In the latter case, we sometimes have to wait months before an update is offered. And during this time, phones can be attacked. According to a former employee, it is more effective to make a bug public, rather than informing Apple. Some also regret a lack of communication from the brand on its bugs. Apple’s security teams do not speak at big shows like the Black Hat event in Las Vegas which takes place every summer, when other competing companies come to present the state of their research. “We identify and repair the vast majority of potential vulnerabilities even before our products are operational.”, defends Apple. “No company does better.”
“I think we only see the tip of the iceberg”, says Costin Rau, director of the global research and analysis center at cyber security company Kaspersky Labs. “If you give people the tools and the ability to watch what’s going on in phones, then be prepared for some nasty surprises.”