Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Israeli spyware claims to beat Apple's iCloud security

Apple's iCloud is one of many cloud services the NSO Group reportedly claims it can hack

Last updated

NSO Group, which previously hacked WhatsApp, is advertising that it is able to gather all of an individual's cloud-hosted data from Apple, Google, Microsoft and more, using its Pegasus malware.

The Israeli company, NSO Group, has been telling its government customers that its Pegasus malware can now extract far more data about any given individual. As well as data on the person's smartphone, the claim is that the group can covertly retrieve all of the information that person has stored on servers owned by Apple, Google, Microsoft, Facebook and Amazon.

According to the Financial Times, that information includes all messages and photos, plus data concerning the entire history of the phone's location.

The NSO Group, whose software was recently used to hack WhatsApp, says that it develops this malware specifically for government use only.

"We do not provide or market any type of hacking or mass-collection capabilities to any cloud applications, services or infrastructure," a spokesperson said.

The FT notes that the group did not deny the claims of these capabilities, and that separate research efforts have shown the presence of Pegasus malware on the phones of journalists and human rights activists. The newspaper's unnamed sources who described an NSO sales demonstration, also provided documentary evidence.

The documents include a sales one which says full access is provided to a person's data without "prompting a two-step verification or warning email on [the] target device."

Graphic from the Financial Times illustrating how the NSO Group's Pegasus software now works Graphic from the Financial Times illustrating how the NSO Group's Pegasus software now works (Source: Financial Times)

This Pegasus malware must be installed on the phone, with what appears to require root access. If an assailant has root access, a user has problems beyond iCloud monitoring. Methods of penetration have been demonstrated previously..

Once it is loaded, however, it's believed that the Pegasus malware copies the login credentials used to access cloud storage. That information is then sent to the government or other organization using the malware, and they then have full access to that cloud storage.

According to sales documents, the system works with even the latest iPhones and Android phones.

Apple responded to reporters from the FT, saying that its iOS is "the safest and most secure computing platform in the world." Apple has managed to block previous versions of Pegasus, both on iOS and macOS.

"While some expensive tools may exist to perform targeted attacks on a very small number of devices," continued Apple, "we do not believe these are useful for widespread attacks against consumers."

Similarly, Microsoft said it is "continually evolving" its protections. Amazon and Microsoft say they're investigating.



35 Comments

ihatescreennames 1977 comments · 19 Years

Does this method require physical access to the device to install the Pegasus software? It sounds like that is the case, which makes the threat of most people’s data being compromised much lower. 

GeorgeBMac 11421 comments · 8 Years

So, Israel admits spying on Americans.   What are the chances Trump will do anything about it?

DAalseth 3066 comments · 6 Years

Carl Sagan said Extraordinary claims require extraordinary evidance. Any charlatan can claim something. Prove it.

EsquireCats 1268 comments · 8 Years

Not that I have indepth knowledge of this new method, but pretty much all online services already detect for access collisions. I.E. If the phone tries to connect and the 3rd party tool are also connected, the server will dump both.

gatorguy 24627 comments · 13 Years

So, Israel admits spying on Americans.   What are the chances Trump will do anything about it?

The software is only sold to governments FWIW. Of course that would not preclude the French government from purchasing and  "spying" on an American or vice-versa. Of course the US wouldn't spy on a French citizen anyway... .