Apple for long has taken a lot of pride in the secure experience it offers to the users. It consistently takes digs at Android, talks about the privacy at length during its keynotes and has introduced few features that offended the other Big Tech. But, even Apple has been left red-faced with the latest Pegasus spyware leak which shows that the Cupertino-based tech giant needs to ramp up its security. The spyware was used to target journalists and human rights activists from different countries of the world, including India.

Evidence of Pegasus infections or attempts at infections was found in 37 out of the total 67 smartphones that were assessed by the Amnesty International’s Security Lab. Out of these, 34 were iPhones and 23 of them showed signs of a successful Pegasus infection, while the rest (11) showed signs of attempted infection.

In contrast, only three of the 15 Android smartphones showed evidence of a hacking attempt. But there two points to note here before you think that Android phones are safer than the iPhone. One, Amnesty’s investigators clarified that it found Pegasus evidence more on the iPhone Android’s logs are not comprehensive enough to store the information needed for conclusive results. And two, people have expectations of higher security standards than the iPhone.

Apple in the recent years has highlighted again and again that the iPhone is more secure phone compared to Android, and Pegasus or no Pegasus as a general statement it remains accurate. But it is also true that Pegasus story shows the iPhone is not as secure, or rather unhackable, as Apple suggests. This reflects in the statement put out by Amnesty.

“Apple prides itself on its security and privacy features, but NSO Group has ripped these apart. Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised,” Deputy Director of Amnesty Tech Danna Ingleton said in a blog post.

The incident is more worrisome because even the latest iPhone 12 models running the newest version of Apple’s operating system were compromised. That’s generally the best and the last layer of security a smartphone manufacturer can offer.

In a statement to India Today Tech, Ivan Krstic, head of Apple Security Engineering and Architecture, said: “Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

What all can Pegasus access?

While there is a lot of information around who all must have been affected and how, no examination has been able to reveal the data that was collected. The possibilities are endless, though. We know that Pegasus can collect emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings and browsing histories.

It is also capable of activating the cameras or microphones to capture fresh images and recordings. It has capability of listening to voice mails, collect location logs to figure out where a user has been, and all of this can actually happen without a person touching their phone or clicking on a mysterious link.

How was iPhone security breached?

The investigation reveals that the iPhones were hacked using Pegasus zero-click attacks. It mentions that thousands of iPhones are on the list of attacked devices but cannot confirm the number of phones that were eventually infected.

As the name suggests, ‘zero-click’ attacks do not require any action from the phone’s user which adds more potential to an already powerful malware. These attacks target software which receives data even before it can determine whether what is coming in is trustworthy or not.

A similar vulnerability was highlighted by Google Project Zero security researcher Ian Beer in November 2019 who revealed that attackers can take complete control of an iPhone in radio proximity without any user interaction. Apple had fixed the issue with a software update but had admitted that it was powerful enough to corrupt the devices.

Since these zero-click attacks do not require any activity from users, it becomes very difficult to avoid them. You may be aware of phishing attacks, following the best internet practices but can still be targeted with this spyware.

What can Apple do from here now?

The best solution for any spyware attack is to ensure that your smartphone is running on the latest software update. That’s why Apple and others keeping rolling out regular security updates. In this case though, even the latest iPhone models have been hacked which builds further pressure on Apple to change its otherwise strict policies and work with other tech companies.

Apple has been criticised for doing a poor job with collaborations and being secretive about its software updates. The incident should concern Apple as a lot of users switch to iPhones for security reasons believing that their activities will not be tracked from there on. The multiple vulnerabilities exposed in the recent times challenge its status as the superior operating system.

Apple holds several bounty programmes to find vulnerability in its software but, the efforts may not be enough given the rise in malicious activities with the increasing penetration of internet in human life.

Apple, though, is highlighting that it is focussing on privacy and security in its products eagerly and earnestly.

The company says that the security team has grown significantly, with growth of about 4x in the last 5 years and that it continues to work with independent security researchers even if it has not made it a focus to broadcast much of that collaboration. As an example, Apple points out to its bug bounty programme which, it claims, offers some of the highest payouts in the industry and has grown total payments over 4x a year since we announced it’s expansion in 2019, with millions of dollars in bounty awards already paid out this year.