Amnesty International says a HomeKit security flaw has been used to attack iPhones belonging to Serbian journalists and activists.
The civil rights group has launched an investigation after Apple notified two victims that their devices had been compromised by Pegasus spyware …
NSO's Pegasus Attacks Detected by Apple
NSO Group makes spyware called Pegasus, which is sold government and law enforcement agencies. The company buys so-called zero-day vulnerabilities (those unknown to Apple) from hackers, and its software is said to be capable of installing zero-click exploits, which require no user interaction from the target.
Specifically, it is said that simply receiving a certain iMessage — without opening it or interacting with it in any way — can result in an iPhone being jailbroken and personal data being exposed.
iOS is now actively scanning iPhones for signs of the Pegasus attack, and Apple is sending alerts to their owners.
Amnesty confirms the hack
Amnesty said the first two victims followed Apple's advice to seek help, and it was able to confirm the attacks.
Two activists affiliated with prominent think tanks in Serbia received individual notifications from Apple about a possible “state-sponsored attack” targeting their devices. [They then] contacted the Belgrade-based SHARE Foundation, which partnered with Amnesty International and Access Now to conduct separate forensic analyses of the iPhones of both notified individuals […]
Technical and forensic examination allows Amnesty International to now confirm that both individuals
were indeed attacked by NSO Group’s Pegasus spyware.
Additional victims have since been identified.
HomeKit was attacked to facilitate the attacks
Amnesty has found that an apparent vulnerability in HomeKit was used to carry out the attacks.
The two devices were attacked within minutes of each other from two different iCloud email addresses controlled by the attackers. Amnesty International attributes both email accounts to the Pegasus spyware system. Amnesty International has frequently found similar iCloud accounts used to send Pegasus no-click attacks to target devices via iMessage […]
The spyware attack traces through Apple's HomeKit service are very similar to the attack methods used in other NSO Group Pegasus attacks discovered by the Amnesty International Security Lab during the same period.
The Security Lab has confirmed that a separate group of individuals in India who received notifications from Apple in the same round of notifications were indeed subject to an NSO Group Pegasus attack in August 2023. These devices in India also showed similar traces of HomeKit exploitation before the full version of the Pegasus exploit was sent via iMessage.
Details about the HomeKit vulnerability have not been released, likely because Apple is still in the process of blocking it.
Android phones were also compromised
Android smartphones were also compromised in the attack. Additionally, Cellebrite's technology was used to install surveillance software on locked devices after victims reported crimes to police that were likely committed by government employees in order to get into police stations.
This particular method relied on an Android vulnerability, so it couldn't be used against iPhones.
- Scan Your iPhone for Pegasus Spyware With a $1 App
- Apple Wants to Drop Its 3-Year-Old Lawsuit Against Spyware Group
- iPhone Spyware Firm NSO Sues Big Loss in US Court in Meta Lawsuit
Via 404 Media. Photo by Patrick Campanale on Unsplash.
