What Apple said about Pegasus breaching the iPhone’s core security

From a note issued by Apple security engineering chief Ivan Krstić in response to Sunday’s Amnesty International report:

Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market.

Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.

While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.

My take: He’s got a point about the cost of zero-click penetration. Billions would be better than millions, however. Makes me wonder what kind of understanding Apple reached with the FBI after San Bernardino.

13 Comments

  1. Bart Yee said:
    An interesting comment from one of the articles blames Apple for not offering more than $200,000 to hackers and researchers for bug/exploit reports to Apple, saying that selling their knowledge on the dark web or black market to the highest bidder was more lucrative than reporting it to Apple. I’m sure they are so sure of their anonymity that they would never be tied back to any crime or criminal activity from said exploit – i.e., identity theft, unconstitutional or otherwise unlawful surveillance, privacy invasion, stalking, theft, banking law violations, conspiracy, lying in wait to commit crimes, murder, etc.

    Of course, laws vary across different countries, autocratic regimes tend to fear no one, no laws, and no courts, and prosecution, let alone investigation, may be next to impossible without direct threats against investigators.

    One should compare Apple’s statements against those of NSO defending their development and sale of their tech to “carefully vetted” governmental and private agencies. That the Israeli government through one of its ministries “regulates” and approves each sale is also troubling considering who it has been linked to. Strange bedfellows.

    2
    July 20, 2021
    • Bart Yee said:
      I guess though if they never come to Apple asking for more money they can’t be accused of extortion?

      1
      July 20, 2021
  2. Aaron Belich said:
    That an Android phone in the image? With a key on it? LOL.

    1
    July 20, 2021
  3. Fred Stein said:
    After the San Bernardino terrorist attack, Tim Cook said, in effect; “There’s no such thing as a back-door for only the good guys.”

    And the same people who bash Apple now, claimed that Apple’s stance on privacy is ‘just branding’.

    Old proverb, ‘to beat this cat, any stick will do.’

    3
    July 20, 2021
  4. Jerry Doyle said:
    Just updated my iPhone with today’s new Apple roll-out software update. The update did not denote a security patch, but bug fixes.

    0
    July 20, 2021
    • Bart Yee said:
      I think it’s too soon to expect Apple to come up with a comprehensive security fix to cover all of Pegasus’ exploits. The Amnesty report will take time to digest and develop mitigations and defenses. Plus trying to proactively find other holes and plug them as well. It’s a never ending task.

      0
      July 20, 2021
      • David Emery said:
        I dunno. There’s often a significant gap between discovery of a vulnerability that gets reported to the vendor, and the public announcement of same.

        But if PED’s quote from Apple is ‘complete’ on this, I’m pretty disgusted there’s no authoritative statement on whether 14.7 fixes this problem.

        To Bart’s earlier comment about “insufficient bounty for bugs,” I’ll repeat my way to fix security problems. Make vendors (including Apple) legally liable for vulnerabilities. When there are class-action lawsuits with payouts and penalties in the $Billions, the software community will finally decide they can’t afford to release software with these kinds of vulnerabilities. Like many situations for product safety, the fix is expensive, so to get the result you have to make “not doing the fix” more expensive!

        2
        July 20, 2021
  5. Steven Philips said:
    You could never fix enough to avoid frivolous lawsuits. Look at patents. The costs would be TOO high.

    1
    July 20, 2021

Leave a Reply