Amnesty International reports that a security flaw in HomeKit was exploited to target iPhones owned by Serbian journalists and activists.
The human rights organization launched an investigation after Apple alerted two victims regarding the compromise of their devices due to Pegasus spyware …
Detection of NSO’s Pegasus Attacks by Apple
NSO Group produces the notorious spyware Pegasus, marketed to governmental and law enforcement bodies. The firm acquires zero-day vulnerabilities (unknown to Apple) from hackers, and its software is capable of executing zero-click exploits, which don’t require user engagement from the target.
Notably, it has been reported that just receiving a specific iMessage—without any need to open or engage with it—can enable an iPhone to be compromised, risking personal data exposure.
iOS now actively scans iPhones for Pegasus attack indicators, with Apple proactively alerting users.
Confirmation of Hacks by Amnesty
Amnesty indicated that the initial victims heeded Apple’s guidance and sought assistance, allowing the organization to validate the attacks.
Two activists affiliated with major think tanks in Serbia received individual alerts from Apple regarding a potential “state-sponsored attack” aimed at their devices. They subsequently contacted the Belgrade-based SHARE Foundation, which coordinated with Amnesty International and Access Now to conduct separate forensic analyses on the iPhones of both notified individuals …
The technical and forensic investigations have enabled Amnesty International to confirm that both individuals were indeed targeted with NSO Group’s Pegasus spyware.
Additional victims were later identified.
Exploitation of HomeKit to Facilitate the Attacks
Amnesty discovered that a presumed vulnerability in HomeKit was exploited to execute the attacks.
The two devices were targeted merely minutes apart from different attacker-controlled iCloud email addresses. Amnesty International links both email accounts to the Pegasus spyware system. Similar iCloud accounts have been frequently detected in past zero-click Pegasus attack cases targeting devices via iMessage …
The evidence of spyware targeting through Apple’s HomeKit service closely mirrors attack strategies observed in other NSO Group Pegasus attacks that Amnesty International’s Security Lab tracked during the same timeframe.
The Security Lab corroborated that another group of individuals in India, who also received notifications from Apple within the same notification round, were similarly targeted by NSO Group’s Pegasus in August 2023. The devices in India showed comparable signs of HomeKit exploitation before the complete Pegasus exploit was transmitted via iMessage.
Details regarding the HomeKit vulnerability remain undisclosed, presumably because Apple is still working on mitigation measures.
Compromise of Android Phones
Additionally, Android smartphones were targeted in the attack. Cellebrite technology was utilized to install surveillance software on their locked devices after victims approached law enforcement to report crimes—likely perpetrated by state agents to lure them into police precincts.
This particular method relied on an Android vulnerability, hence it was not applicable to iPhones.
Source: 404 Media. Image by Patrick Campanale on Unsplash.
FTC: We utilize affiliate links that generate income. More details.
