Apple's comments on reported NSO Group iPhone exploit


A major story from journalist and human rights groups and a consortium of media outlets indicate the Israeli NSO Group may have been used to improperly spy on mobile devices. The Pegasus malware product is delivered via a no-click exploit on iPhones (Android devices are also vulnerable) and is intended to combat crime and terrorism. The reports alleged the software, however, was used against journalists and government officials, among others. NSO Group is currently disputing the details, so this story may still be developing.

With that background, Apple issued a statement about the report. Apple’s head of security engineering and architecture Ivan Kristic:

â€Å"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."

I don't like how this statement minimizes the effect of the exploit, which isn't fully known. Apple needs to be challenged to do better preventing zero-click exploits. This particular exploit can be triggered simply by receiving an iMessage and reportedly requires no user action.

Amnesty International does offer some potential immediate relief. In its research, the organization found the exploit doesn't remain after a reboot. This makes it difficult to identify devices that may have been compromised, but also regularly rebooting may be a work-around until Apple addresses the specific exploit in a software update.