Threat Intelligence, Threat Management

Security researchers say Apple has to ‘step it up’ in wake of NSO-Pegasus spyware case

The Apple logo is displayed in an Apple store in lower Manhattan on Aug. 2, 2018, in New York City. (Spencer Platt/Getty Images)

Apple was dealt a huge blow to its reputation as a security champion on Monday when it was widely reported that the spyware tool Pegasus from the Israeli company NSO Group can breach the latest iPhones through “zero-click” attacks via iMessage that don’t require human interaction to inject malware on a device.

The company’s stock was down 2.69% to $142.45 a share today on news of the security issue.

Security experts like Setu Kulkarni, vice president, strategy at NTT Application Security, said the industry needs get behind Apple, Google, and others as they find ways to protect users against spyware that was originally intended for legitimate defense and intelligence purposes.

“For Apple and other manufactures, this is a moment of reckoning to get further entrenched with the governments to create more checks and balances while they make their platform more impenetrable for bad actors,” Kulkarni said. “For lawmakers, it’s a moment of reckoning as well to create consequences for such misuse. Ultimately, for NSO, Apple and law agencies — the lesson is that with great power comes great responsibility. It’s time to ‘step it up’ and find a way forward where NSO, Apple and law agencies can further improve their collaboration rather than take a step back.”

Oliver Tavakoli, CTO at Vectra added that it’s clear that the iOS iMessage service has become a bit of a mess from a security perspective. Tavakoli said Apple has added more and more functionality to it — and every piece of functionality comes with the potential for exploitable vulnerabilities.

“And the fact that iMessage does not distinguish how it handles inbound messages from known contacts vs. perfect strangers opens phones up to exploitation from anywhere,” he said. “Accepting processing messages from anyone is the equivalent of running a network connected to the internet with no firewall.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.