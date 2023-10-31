Opposition leaders were among Indians who received emails and messages on Monday from Apple warning them that state-sponsored attackers were potentially trying to compromise their iPhones. The alerts were sent a year after a committee of Supreme Court-appointed experts found inconclusive evidence of the presence of Pegasus spyware in the 29 phones it analysed. Notices have been sent to users in 150 countries since the launch of the system. (Sourced)

A consortium of media outlets and investigative journalists earlier in July 2021 reported that the phones of Indian ministers, politicians, activists, businessmen, and journalists were among the 50,000 selected for infection with the Pegasus malware.

Apple sued the Israeli maker of Pegasus, the NSO Group, months later over the exposures while also announcing its new threat notification system to warn users that state-sponsored attackers may have targeted them.

How does Apple notify?

It sends email and iMessage to the address and number associated with a user’s Apple ID. The company also displays a “Threat Notification” banner in red on top of the page after the user signs into applied.apple.com. The banner also mentions the date on which a notification was sent via email and iMessage, helping prove the authenticity of the message a user may receive.

Is the process foolproof?

No. Given the sophistication of state-sponsored attacks, Apple specifies that some notifications might be false alarms while some attacks may not be detected at all.

How does Apple detect such attacks?

It detects them using the threat intelligence signals it receives. The company always refuses to provide information about how it detected an attack “as it may help state-sponsored attackers adapt their behaviour to evade detection in the future”.

How to detect a fake threat notification?

Many spyware companies rely on users clicking on malicious links sent via SMSes, emails, WhatsApp messages, etc to compromise devices. Apple makes it very clear that its threat notifications never have any links to click. It never asks users to install any apps or profiles or provides Apple ID passwords or verification codes by email or over the phone. To refer to URLs that users may visit for more information, Apple spaces the links out so that they are forced to type the links and thus do not end up clicking on malicious links.

Could anyone be targeted?

Apple notes that most people will never be targeted by a state actor. Such attacks require considerable resources—monetary, physical, and human. This is why the entities that can execute such attacks are usually backed by nation-states. A politician, human rights activist, a journalist, or a vocal and influential critic of a government could be targeted.

Apple’s website emphasises that, unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices. This makes these attacks much harder to detect and prevent. “State-sponsored attacks are highly complex, cost millions of dollars to develop, and often have a short shelf life. The vast majority of users will never be targeted by such attacks.”

What can one do to avoid getting targeted?

Basic cyber hygiene—always update devices and apps. Use device passcodes, strong passwords, and multi-factor authentication. Do not sideload apps or repeat passwords across services. Avoid clicking on links or attachments from unknown senders. Enable the Lockdown Mode.

What is the Lockdown Mode?

Apple released its Lockdown Mode in September 2022 with iOS 16, iPadOS 16, MacOS Ventura, and watchOS 10 in response to state actors compromising the devices of critics or whom they perceived as threats. This mode enables multiple apps and features to function differently to reduce the attack surface that can potentially be exploited using “highly targeted mercenary spyware”. For instance, most message attachment types will be blocked. Certain web technologies will be blocked, hindering websites from loading correctly or at all. FaceTime calls from new devices too will be blocked.

