Undisclosed HomeKit flaw used by Cellebrite to attack Serbians

Apple's HomeKit is under scrutiny, as Serbian authorities are suspected of exploiting it to install Pegasus spyware without any user interaction at all.

Reported by Amnesty International, at the center of the spyware campaign are two tools — the infamous Pegasus spyware and a locally developed system called NoviSpy. Pegasus, created by Israel's NSO Group, is powerful.

While Serbia's use of spyware tools has gained recent attention, Pegasus has been deployed globally. Governments and organizations worldwide have used it to target journalists, human rights defenders, and opposition leaders.

How the spyware works

Pegasus, developed by Israel's NSO Group, exploits zero-day vulnerabilities, are flaws unknown to software makers, to infect devices silently. Once installed, it can scrape messages, emails, photos, and media files while also turning the phone into a surveillance tool.

Reportedly, no user interaction, like clicking a link, is required to start the attack.

NoviSpy operates similarly but appears locally tailored for Serbia. Unlike Pegasus, which has global reach, NoviSpy has reportedly been installed during physical seizures of devices at police traffic stops or "informational interviews."

While Cellebrite sells their tools for forensic uses, it can be misused by state actors to unlock phones, bypassing security measures and enabling spyware installation.

Targeting Serbians

One journalist, Slavisa Milanov, noticed his phone acting strangely after leaving it at a police station for just a few minutes. The analysis revealed that not only was his phone unlocked using Cellebrite but also that NoviSpy had been installed during that time.

NSO Group

These tools allow authorities to map personal networks, monitor encrypted chats on apps like Signal, and gather intel on protests or activism efforts.

For activists and journalists, the impact has been troubling. One activist said he now only meets sources in public places and avoids using his phone altogether. Another described questioning his entire role in civil society after learning he'd been hacked.

Apple vulnerabilities

Authorities may have exploited vulnerabilities in Apple's HomeKit system to deliver spyware. HomeKit, Apple's smart home platform, uses secure protocols for device communication, but attackers can exploit flaws through malicious invites or network manipulations.

Apple's iMessage remains a frequent target for zero-day exploits, primarily because of its widespread use and extensive features. Pegasus often uses these flaws to install spyware remotely. While HomeKit exploits appear less common, the report suggests they provide yet another entry point for attackers.

Tools like Pegasus have been used globally to target journalists, human rights defenders, and opposition leaders. Apple has responded by introducing features such as Lockdown Mode, which aims to safeguard users against these sophisticated attacks.

However, as the report indicates, spyware developers are continually discovering novel methods to exploit vulnerabilities, sometimes even within Apple systems like HomeKit.

It's not a new case with Apple

Apple has taken a multifaceted approach to combat spyware like Pegasus, combining legal and technical efforts. In 2021, Apple sued NSO Group for its role in deploying Pegasus spyware, seeking to block its access to Apple devices and services.

The company successfully kept the ongoing case in the U.S. after a judge denied NSO's bid to move proceedings to Israel. In iOS 16, Apple introduced Lockdown Mode to restrict high-risk attack surfaces.

However, Pegasus continued evolving in 2023 with three new zero-click exploits targeting iPhones.

Apple has strengthened its security by hiring engineers in Paris to identify vulnerabilities before attackers exploit them. However, spyware developers persist, underscoring the ongoing challenge of securing devices against sophisticated threats.

How users can protect themselves

Journalists, activists, and others concerned about spyware can take simple steps to reduce their risk. Enabling Lockdown Mode in iOS provides an extra layer of protection for those facing heightened threats.

Lockdown Mode, an advanced iOS security feature, protects high-risk users from targeted spyware attacks. It limits device functionalities exploited by attackers, such as blocking message attachments, disabling link previews, and restricting incoming FaceTime calls from unknown contacts.

To enable Lockdown Mode on your iPhone or iPad, open the Settings app, go to Privacy & Security, and scroll down to select Lockdown Mode. Tap Turn On Lockdown Mode, review the explanation, and confirm by selecting Turn On & Restart.

Your device will reboot with Lockdown Mode active, restricting certain features to enhance security. You can disable it anytime by following the same steps.

Next, using strong, frequently updated passwords and enabling two-factor authentication can help safeguard devices against unauthorized access. Caution is equally important when receiving unexpected HomeKit invitations or suspicious messages, as attackers may exploit these entry points.

Apple's reputation for privacy protections remains strong, but these recent incidents show that no system is completely invulnerable.