After filing suit against Israel’s NSO group, responsible for the Pegasus spyware used in state-sponsored surveillance schemes, Apple has released details of how it will alert users to the fact that they’ve been targeted.
The alerts are aimed at individuals who may have been specifically picked out for anti-government activities. “These users are individually targeted because of who they are or what they do,” the company warns.
“Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent.”
The company will issue warnings in two different ways. First, a Threat Notification will be displayed at the top of the page after the user signs into appleid.apple.com. Second, the company also sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID. These notifications, says Apple, provide additional steps that notified users can take to help protect their devices.
“Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected, ” warns the firm.
“We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behavior to evade detection in the future.”
Apple says it’s already alerting users who may have been targeted by FORCEDENTRY, which exploited a now-fixed vulnerability and allowed the Pegasus spyware to be installed on their devices.
Yesterday, it issued alert messages to several activists critical of the Thai government, warning that their iPhones may have been targeted. These include political scientist at Bangkok’s Thammasat University Prajak Kongkirati, along with other activists and politicians.
The use of Pegasus spyware on journalists and activists was uncovered earlier this year by Amnesty International and the Citizen Lab. iPhones — and iMessage — were revealed as particularly vulnerable. Attackers were able to create Apple IDs and send malicious data to a victim’s device, allowing NSO Group or its clients to deliver and install the spyware without the victim’s knowledge.
Apple has since issued software updates to fix the flaws, and says it hasn’t seen any evidence of successful remote attacks against devices running iOS 15 and later versions — although the spyware continues to evolve.
“State-sponsored attacks are highly complex, cost millions of dollars to develop, and often have a short shelf life,” says Apple. “The vast majority of users will never be targeted by such attacks.”