Amnesty International says a security vulnerability in HomeKit was used to target iPhones belonging to Serbian journalists and activists.
The civil rights organization conducted an investigation after Apple notified two of the victims that their devices had been compromised by Pegasus spyware …
NSO’s Pegasus attacks detected by Apple
NSO Group makes spyware called Pegasus, which is sold to government and law enforcement agencies. The company purchases so-called zero-day vulnerabilities (ones that are unknown to Apple) from hackers, and its software is said to be capable of mounting zero-click exploits – where no user interaction is required by the target.
In particular, it’s reported that simply receiving a particular iMessage – without opening it or interacting with it in any way – can allow an iPhone to be compromised, with personal data exposed.
iOS now proactively scans iPhones for signs of Pegasus attack, and Apple sends alerts to their owners.
Amnesty confirmed the hacks
Amnesty said that the two initial victims followed Apple’s advice to get help, and it was able to confirm the attacks.
Two activists associated with prominent think-tanks in Serbia received individual notifications from Apple about a possible “state-sponsored attack” targeting their devices. [They then] contacted the Belgrade-based SHARE Foundation who worked with Amnesty International and Access Now to carry out separate forensic analyses of iPhones from both notified individuals […]
Technical and forensic research allows Amnesty International to now confirm that both individuals
were indeed targeted with NSO Group’s Pegasus spyware.
Further victims were subsequently identified.
HomeKit was attacked to facilitate the attacks
Amnesty found that an apparent HomeKit vulnerability was used to carry out the attacks.
The two devices were targeted with minutes of each other from two different attacker-controlled iCloud email addresses. Amnesty International attributes both email accounts to the Pegasus spyware system. Amnesty International has frequently found similar iCloud accounts used to send zero-click Pegasus attacks to target devices over iMessage […]
The traces of spyware targeting through Apple’s HomeKit service closely resemble the attack techniques seen in other NSO Group Pegasus attacks observed by Amnesty International’s Security Lab in the same period.
The Security Lab confirmed that a separate group of individuals in India, who received notifications from Apple in the same round of notifications, were indeed targeted by NSO Group’s Pegasus in August 2023. These devices in India also showed similar traces of HomeKit exploitation before the full Pegasus exploit was sent over iMessage.
No details of the HomeKit vulnerability have been shared, likely because Apple is still in the process of blocking it.
Android phones also compromised
Android smartphones were also compromised in the attack. Additionally, Cellebrite tech was used to instal surveillance software on their locked devices after victims went to police to report crimes – which were likely carried out by state employees in order to get them into police offices.
This particular route relied on an Android vulnerability, so could not be used against iPhones.
Via 404 Media. Photo by Patrick Campanale on Unsplash.
FTC: We use income earning auto affiliate links. More.
