When it comes to security and privacy issues, Apple generally does a far better job than its rivals — though admittedly for selfish marketing reasons. When comparing Apple’s iOS and Google’s Android, it’s hard to not see that at least Apple makes a good-faith attempt at being security- and privacy-oriented, compared to Google, which would prefer selling ads and anything else it can think of.
Today, though, I find myself in the awkward position of saying that Apple is actually playing it straight. I am referring to the latest iPhone spy brouhaha, which Computerworld’s Johnny Evans captured quite nicely last week. In a nutshell, NSO Group, an Israeli firm that bills itself as a “surveillance as a service” company, created a zero-click attack that allowed spyware to be installed on iPhones. Amnesty International identified at least 180 journalists around the world who were hit by Pegasus.
But there’s an important caveat for regular iPhone users: This was an extremely targeted attack that is highly unlikely to affect them.
Apple’s response amounts to “how could we possibly fight something like this?”
Specifically, look at the company’s statement about the incident from Ivan Krstić, Apple’s head of security engineering and architecture:
“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
In English, that statement roughly translates to, “Whoa! This is a nation-state-level attack against one individual — by name. We’re good, of course, and the iPhone does have the best security of any consumer-grade mobile device. But cut us a bloody break. No consumer mobile device could have stopped this multi-million-dollar attack. Also, these attacks are quite rare. We can protect users against the kind of attacks that 99.99% of them will actually experience.”
It’s a fair point.
Consumer devices are not hardened as they need to be for sensitive military, governmental, or even corporate projects. The BlackBerry of years past was especially secure — for its day — but it wasn’t even a little hardened. Remember that President Obama loved his BlackBerry and his security people wouldn’t let him use it until it was severely limited.
In the same way that few enterprise security platforms today can block a persistent nation-state attack — at least not for very long — it’s not realistic to pretend that an ordinary iPhone could defend against a massive attack aimed at one person’s device.
It’s a core premise of all cybersecurity. Most attackers are somewhat rational and practical and they have businesses to run and profits to make. They will typically have hundreds of active targets and they can only cost-justify attacking one for so much time until it makes sense to give up and move onto the next target. Any individual or company needs to have security that is appropriately sized for the kind of attacks that are most likely to affect them.
If an attacker has a contract to get into your personal phone and is given a $25 million budget to do so, they can afford to have a team of bad actors hit your device 50 different ways 24/7 for weeks until they get through. No consumer device was designed to survive that level of attack because it is rarely profitable for the attackers.
In this case, it was.
So, while headlines focused on how usually-secure Apple devices and iOS were hit, in this case it’s clear that Apple hasn’t done anything wrong. It acted appropriately, given the circumstances (and is almost certainly looking to figure out what happened and close whatever flaws allowed Pegasus to be installed in the first place).