New Delhi: On Monday (October 30) night, nearly two dozen people in India – mostly opposition politicians and some journalists – received an alert from Apple saying that their iPhones may have been targeted by “state-sponsored attackers” who are trying to remotely compromise their devices. The notification reignited the conversation about government misuse of spyware, even as the government went into damage control mode following the alert to users.
The Wire spoke to Apar Gupta, advocate and founding director of the Internet Freedom Foundation (IFF), about the alert and what it means for smartphone users in India.
How would Apple have discovered this attack by “state-sponsored” actors?
Apple, when it manufactures a phone, also takes responsibility for the security and privacy of its operating system, iOS. After the rise in spyware attacks across the world over the past few years, Apple introduced a feature that would alert a user if there was a state-sponsored hacking attempt through a threat notification. Apple has teams that look at such [attempts and then to provide] threat notifications.
Would you call this a zero-day attack?
A zero-day attack is when a vulnerability is secretly known to a threat actor which is then shared to a third party – that may be a company or the state – and by [exploiting] this vulnerability, they can install software secretly into your smartphone or take data secretly from your phone without your knowledge.
I don’t know whether this is a zero-day attack or a vulnerability that has been documented earlier. It could have exploited vulnerabilities in an application that was installed in iOS or a vulnerability within iOS. That level of specificity is not available in the threat notification because. Apple states that the attack was from a state-level actor. It did not disclose or give further information because that information will help state actors to exploit that vulnerability or change their working methods to get back into the phone.
So if there is an attack on a wider scale, Apple will come to know about it?
To say that if it happens, Apple will certainly get to know is not correct. Apple may not get to know. But when it gets to know, it notifies the user.
Notifications like these have gone to 150 countries since Apple’s Threat Notifications feature began in November 2021. Is state-sponsored surveillance an expensive affair or can it be done by a solitary hacker using, for instance, just a laptop?
The last known incident, in which public disclosures exist, was concerning the NSO Group, the Israeli company, that sold the [Pegasus] spyware software to multiple governments across the world. Sales of this software [were worth] hundreds of crores [of rupees], [based on information from] a contract between the NSO Group and the government in Uganda which was submitted in a US court by WhatsApp as part of a case. Then, one of the infection patterns was a zero-day attack on a vulnerability that existed in WhatsApp, which allowed the NSO Group to infect a person’s Android or iOS device through a missed call. This was used by multiple governments all over the world to install Pegasus on the phones of journalists, opposition politicians, human rights defenders and activists.
As per reports, it was also used in India. There has been a lack of information and disclosure [in India], even after a court-appointed inquiry put questions to the government of India on whether it utilised the Pegasus software, how much was used, and whether it entered into a contract with NSO Group. But we can on the basis of information in the public domain or reports by the Wall Street Journal and Financial Times, gather that it involved hundreds of crores of rupees.
If this notification has been sent by Apple to 150 countries, it also shows it may be other companies like another Israeli company called Intellexa Alliance, which also has the Predator spyware, which uses a common vulnerability on iOS devices. It may have sold software to multiple governments across the world.
But this is conjecture.
How is it conjecture? Amnesty released a report in early October which showed the modus operandi of Intellexa’s Predator software. Yet, we cannot to a high level of certainty establish that this Apple notification relates to Intellexa Alliance.
What I am trying to say is that multiple companies exist all over the world which sell spyware technologies to governments. These are expensive, sophisticated products and are used by governments quite often these days against people who are critics of the regime.
So it requires expensive software to carry out these kinds of “state-sponsored” attacks. One techie, however talented, cannot do this on her own. It requires a system in place and a lot more than one or two people carrying out this attack.
Yes, the contract also comes with the installation of hardware, access to internet lines, and contractors who then provide service management. There is a separate service management contract and this model comes through, again the disclosures made by WhatsApp when it filed a case against the NSO Group, which show it is expensive because it is not just software that is being sold. It is a licenced software which means that for each person you want to target, there is an additional cost.
In India, a majority of users are Android users, almost 95%. Android never sends out these kinds of alerts because the engineering of Android phones is very different from Apple. Can you explain how?
I wouldn’t be able to speak about this authoritatively. My expertise is not in the technical evaluation of software.
What should users be doing to keep their phones safe?
The first thing to take into account is that sophisticated spyware will not be planted on people at a mass scale. These are highly sophisticated attacks, but the injury that occurs to the ordinary Indian is because a representative who is in parliament may be compromised and may not be able to fulfil their functions because of spyware attacks. That’s the real injury for most people.
As opposed to the conventional cybersecurity story, where you may want to take direct steps to protect yourself, for most ordinary Indians, what they should be concerned about [in this case] is that the people who give them the news [journalists] and people who represent their democratic interests and question the government [opposition parliamentarians] are being threatened and placed in fear due to repeated spyware attacks on their phones.
Secondly, if a person does receive a threat notification from Apple, the company provides a list of steps which people should take and some steps they should not. The first is they need to verify the notification by logging into their Apple accounts and ensuring their authenticity. Secondly, Apple will never at the time of notification, ask for additional information. Third, they have a special mode called the lockdown mode.
However, in previous instances of spyware infections, the advice commonly given by security researchers, which may cause economic hardship to most people, was to change their smartphones because these are very sophisticated software which may not be removed by a simple reboot or wipe.
Even ordinary people may fear being spied upon. Can you suggest five things for Android users that they can do to keep safe?
For most people, I would say they need to be careful when installing applications. So, if you are installing something like a flashlight app and giving it all permissions, then it can use the data for purposes which may not be to your expectations. So it all starts with data collection and people need to be a bit more careful.