These Are The Reasons That Make iPhone Vulnerable To Pegasus Spyware

JAKARTA - The Israeli company that created the Pegasus spyware, NSO Group, has got itself into trouble again. This software was used to spy on a group of people because their cell phone numbers were found in a leaked database.

The NSO Group's spyware is well known for providing a backdoor to the phones of targeted entities. Both Android and iPhone are targets, but the latter is easier to keep an eye on through Pegasus. According to a report, Apple's zero-click exploit in iMessage makes this job a lot easier.

According to a forensic methodology report by Amnesty International's Security Lab, Apple's iPhones are the easiest to spy on using the Pegasus software. The leaked database shows that iPhones running iOS 14.6 contain the clickless iMessage exploit and this exploit can be used to install Pegasus software on iPhone devices of the targeted entity.

This exploit was discovered by Citizen Labs earlier. It was known as KISMET and allowed the installation of the Pegasus software for complete surveillance purposes. The exploit has been patched via an urgent software update that Apple released, but it looks like the exploit remains inactive until the zero click is fired.

Citizen Lab researcher Bill Marczak said that Apple had major issues with iMessage security even after the patch, which brought the BlastDoor Framework as part of the iOS 14 update.

Apple's BlastDoor framework is supposed to make clickless exploits more difficult, making installing the Pegasus spyware difficult. However, the BlastDoor Framework may not work as intended.

Case in point: the new Pegasus surveillance scandal, which involved not only leading journalists from around the world but also ministers and other well-known entities. Researchers have noted that spyware installed via zero-click exploits is no longer “persistent”.

According to Marczak, Apple just using sandboxing in iMessage doesn't accomplish what the BlastDoor Framework ideally does. This means that any properties that BlastDoor has are somewhat weakened by the sandboxing process, and could grant access to exploits without a click.

“How about: “don't automatically run very complex and buggy parses on data that strangers push to your phone?!”, Marczak said in a tweet.

The leaked database of the targeted iPhone had call logs and Pegasus was able to retrieve it and use the exploit in ImageIO on iOS 13 and iOS 14 by parsing JPEG and GIF images. Marczak said that there were "a dozen" high-level bugs in Apple's ImageIO.

Meanwhile, WhatsApp has criticized NSO Group for providing a tool that makes privacy a very unimportant aspect.

But the bigger question overshadows Apple's repeated claims that their phones are made to protect the privacy of their users. If a single clickless exploit could enable mass surveillance, imagine what other vulnerabilities could do. Apple has not said anything about the incident.