“Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security,” Citizen’s Lab Senior Research Fellow Bill Marczak said on Sunday.
Hackers were reportedly able to remotely access and replicate data from phones tied to 37 people, primarily reporters and executives, using a software tool named Pegasus created by NSO Group.
The software is sold to governments and is considered a military-grade hacking service. With Pegasus, hackers are able to infect phones with so-called “zero-click” texts through iMessage, meaning the target user doesn’t even have to interact with the text to have their phone breached.
Moreover, the report found that even the most up to date firmware and iPhone hardware can be breached by Pegasus.
Forensic reports completed by Amnesty International and verified by Citizen’s Lab found that even iPhones running iOS 14.6, the latest version of Apple’s mobile operating system, were susceptible to being hacked. “All this indicates that NSO Group can break into the latest iPhones,” Marczak said.
One such target with an iPhone was the fiance of slain Washington Post reporter Jamal Khashoggi, according to the report. A forensic analysis of Hatice Cengiz’s iPhone found evidence of multiple breaches starting in early October 2018 – immediately following Khashoggi’s assassination on October 2, 2018.
Following the report, NSO Group released a statement rebuking its findings and threatening a potential lawsuit. “We firmly deny the false allegations made in their report,” the statement said. “These allegations are so outrageous and far from reality that NSO is considering a defamation lawsuit.”
Apple representatives didn’t immediately respond to a request for comment regarding the specific iPhone security issues outlined in the report, and it’s unclear if an update is coming to patch the exploit.
“For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” Apple security engineering chief Ivan Krstić said in a statement to Insider. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Got a tip? Contact Insider senior correspondent Ben Gilbert via email (email@example.com), or Twitter DM (@realbengilbert). We can keep sources anonymous. Use a non-work device to reach out. PR pitches by email only, please.
iPhone hacks aren’t incredibly common, but they can still occur if you aren’t careful.
From malware and trickster apps downloaded from the App Store to targeted attacks on a specific device, your information can be stolen in myriad ways.
Here we’ll break down the common types of hacks, how to tell if you’ve been hacked, and what to do about it.
How an iPhone can be hacked
Hacking occurs when someone else gains access to private information on your device or controls it without your consent. It’s a broad term, and lies on a gradient of bad to very serious. Some hackers want to make a quick buck selling advertising. Others want to hurt you.
Experts said there are a few main types of iPhone hacks:
Suspicious websites or links
Just like on your computer, your iPhone can be hacked by clicking on a suspicious website or link. If a website looks or feels “off” check the logos, the spelling, or the URL.
Try to avoid connecting to a password-free public Wi-Fi network, which opens the possibility of a hacker accessing unencrypted traffic on your device or redirecting you to a fraudulent site to access login credentials.
Messages from numbers you don’t recognize are also suspect.
Fortunately, modern smartphones are good at resisting malware and ransomware.
Suspicious apps on the App Store
Apple devices exist in a much more closed and monitored digital ecosystem when compared to Android devices.
The company has a vetting process for apps on its store, but it’s not bulletproof.
Ning Zhang, who leads the Computer Security and Privacy Laboratory at Washington University in Saint Louis, said to watch out for apps that ask for more information than they’ll need to function.
For example, if you’ve downloaded a wallpaper or flashlight app and it’s asking for your location or contact list, camera, or microphone, that’s a red flag. Likely, the developers are tricking you into giving out this information so it can be sold.
“I’d be a little bit skeptical about it and consider if I really want that wallpaper app,” he said. “Being vigilant, even with official apps, is helpful. If we are able to do that, I think for the average person, you should be fairly safe.”
Intimate partner hacks
Abusive partners can grab your phone and download spyware (or stalkerware) when you’re not looking. This malicious software can be used to track your location, or make private information like texts, your call history, and emails accessible to them.
All they need is your password and physical access to your phone. Experts we spoke to said that this is unfortunately common. This abuse can be psychologically traumatizing and devastating to someone’s personal and public life. If you notice apps that you don’t remember downloading, this could be a sign – although many times the spyware app is invisible on the home screen.
Sadly, this problem isn’t easy to fix. Victims can risk their safety by deleting the apps or checking for malware if and when abusers notice these actions.
The average person probably won’t be singled out and remotely targeted by hackers because it’s expensive, sometimes costing millions for hacks of newer phones, said Matthew Green, an associate professor at the Johns Hopkins Internet Security Institute.
Journalists and activists are most at risk for this kind of hack.
One form of a targetted hack works like this: Hackers exploit unknown flaws in the iOS programming that even its developers don’t yet know about. With this knowledge, hackers can install malware to get data from targetted sources.
“This is a very sophisticated set of hacks and oftentimes you won’t even know this happened to you,” Green said. “If it’s someone who is really sophisticated, they’ll send you an invisible text message and then your phone is going to be compromised for awhile.”
The bugs are known as “zero-day” exploits, corresponding with the fact that Apple will find out about a possible security issue in their software on the same day it’ll work to patch it. The minute the world knows, it’s only a matter of time before the hack is obsolete. That’s why these pricey hacks are often kept under wraps by the people, or governments, who purchase them, Green said.
Ways to protect yourself from an iPhone hack
iPhones can absolutely be hacked, but they’re safer than most Android phones.
Some budget Android smartphones may never receive an update, whereas Apple supports older iPhone models with software updates for years, maintaining their security. That’s why it’s important to update your iPhone.
Apps on the App Store are also vetted for malware (though there are questionable apps that go unnoticed).
However, if you’re considering “jailbreaking” your iPhone – removing the software restrictions imposed on iOS – you’re opening yourself up to potential vulnerabilities in the software because you’ve eliminated some of Apple’s existing security measures. It is possible to download incompatible spyware or malware apps on a jailbroken phone, and this is also how remote takeovers can occur with iPhones. A jailbroken phone should be avoided as it can dangerously allow malicious apps to go undetected.
If you backup your phone in iCloud, make sure to have a strong password. If someone gets ahold of your password, they don’t even need to hack your phone because they can download a backup from the cloud.
Vyas Sekar, a professor of electrical and computer engineering at Carnegie Mellon University, said staying safe is all about “good digital hygiene.”
“Install apps from trustworthy sources and unless you know what you’re doing, you probably don’t want to jailbreak your phone,” Sekar said. “Be careful. Don’t click on attachments you don’t want to open and keep your phone up to date.”
How to tell if your iPhone has been hacked
You can’t always tell if your iPhone has been hacked, Sekar said. But you may notice a few things.
Your phone is unusually hot, or frequently dying.
Your phone is sluggish when trying to load websites.
The battery is draining even when you’re not touching your phone.
These symptoms indicate the phone is running all the time, even when you’re not using it. Sometimes, the best indicators come from the outside, such as when friends say they’re getting odd messages from you. However, the most sophisticated hacks can be somewhat invisible.
There’s no definite way to check for every type of hack. Experts told us that one reliable way to investigate is to download a mobile security app called iVerify, which scans your phone’s operating system for suspicious behavior and can also detect if your phone has been jailbroken.
What to do when your iPhone has been hacked
If you know your phone has been hacked, you have a few options depending on what happened.
For minor problems, like an app stealing your information, delete the app and update your software.
Finding an expert for inspection may be the best solution. Green from Johns Hopkins said your phone can’t always be cured.
“I hate to say this, but if you really, really need to be safe, get a new phone,” Green said. “If somebody actually gets on your phone, and it’s a really high barrier for iPhones, they can install stuff like keyloggers, which means every key press, every letter you type in is being sent to somebody. Until you’re sure that’s gone, you can’t be sure you have any privacy.”
If you can’t get a new phone right away, a hacked iPhone is likely not safe to use, so you’re best to leave it turned off.