Apple’s iPhone has a ‘major blinking red five-alarm-fire problem with iMessage security,’ according to a cybersecurity researcher

Tim Cook
Apple CEO Tim Cook. Drew Angerer/Getty Images
  • Apple’s iPhones are a lot less secure than Apple says, a new report said.
  • It has “a MAJOR blinking red five-alarm-fire” issue with iMessages, a cybersecurity researcher said.
  • A security exploit was reportedly used by a spyware firm to give hackers access to iPhones.
  • Visit the Business section of Insider for more stories.

Apple’s iPhone isn’t as secure as Apple says it is, a bombshell new report from a group of media outlets and Amnesty International said.

“Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security,” Bill Marczak, a senior research fellow at Citizen Lab, said on Sunday.

Amnesty International said hackers were able to remotely access and replicate data from phones tied to 37 people, primarily reporters and executives, by using a software tool called Pegasus created by NSO Group.

The software is sold to governments and considered a military-grade hacking service. With Pegasus, hackers are able to infect phones with “zero-click” texts through iMessage, meaning the target user doesn’t even have to interact with the text to have their phone breached.

Moreover, the report found that even the most up-to-date firmware and iPhone hardware could be breached by Pegasus.

Forensic reports completed by Amnesty International and verified by Citizen Lab found that even iPhones running iOS 14.6, the latest version of Apple’s mobile operating system, were susceptible to hacking.

“All this indicates that NSO Group can break into the latest iPhones,” Marczak said.

One such target with an iPhone was the fiancée of the Washington Post reporter Jamal Khashoggi, according to the report. A forensic analysis of Hatice Cengiz’s iPhone found evidence of multiple breaches starting in early October 2018 – immediately after Khashoggi’s killing on October 2, 2018.

In a recent PBS “Frontline” segment regarding the spyware, Cengiz asked the Washington Post reporter Dana Priest why people said iPhones were more secure than other phones.

“That’s what the iPhone says, the company,” Priest responded. “That’s not true.”

After the report came out, NSO Group released a statement rebuking its findings.

“We firmly deny the false allegations made in their report,” the statement said. “These allegations are so outrageous and far from reality that NSO is considering a defamation lawsuit.”

Apple representatives didn’t immediately respond to a request for comment regarding the specific iPhone security issues outlined in the report, and it’s unclear whether an update is coming to patch the exploit.

“For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” Ivan Krstić, Apple’s security-engineering chief, said in a statement to Insider. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.

“While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Read the full report on the Pegasus spyware and iPhone security right here.

Got a tip? Contact Insider senior correspondent Ben Gilbert via email ([email protected]) or Twitter DM (@realbengilbert). We can keep sources anonymous. Use a nonwork device to reach out. PR pitches by email only, please.