A new report from Amnesty International’s Security Lab finds that commercial hacking spyware Pegasus has been found to infect “thousands” of devices. The report is based on a list of 50,000 phone numbers that were thought to be of interest to clients of NSO (the company behind Pegasus). Those clients included journalists and activists.
This is supposedly caused by a glitch in the way iOS 14.6 handles iMessages. And this in spite of the beefed-up iOS 14 privacy protections.
“The analysis Amnesty International conducted of several devices reveal traces of attacks similar to those we observed in 2019,” notes the report. “These attacks have been observed as recently as July 2021. Amnesty International believes Pegasus is currently being delivered through zero-click exploits which remain functional through the latest available version of iOS at the time of writing (July 2021).
However, the NSO says it’s not to blame. Which sounds like a cop-out.
“NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets,” the company said in a statement. “NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as identity of customers of which we have shut down systems.”
Apple has released a statement to the Washington Post, about the matter, as follows:
“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”