India’s opposition leaders’ iPhones targeted by state-sponsored hackers | Explained

The iPhone maker confirmed it had sent the threat notifications, but clarified later that it hadn’t named the Indian government in its nor if the hacking attempts were a success.

Published - November 07, 2023 03:11 pm IST

FILE PHOTO: On October 31, more than half a dozen Indian opposition leaders received a notification from Apple, warning them their iPhones were targeted by state-sponsored hackers.

FILE PHOTO: On October 31, more than half a dozen Indian opposition leaders received a notification from Apple, warning them their iPhones were targeted by state-sponsored hackers. | Photo Credit: AP

On October 31, more than half a dozen Indian opposition leaders and prominent journalists received a notification from Apple, warning them their iPhones were targeted by state-sponsored hackers. Parliament members including opposition leader Rahul Gandhi, key leader from the Congress party Shashi Tharoor, Mahua Moitra from All India Trinamool Congress, Priyanka Chaturvedi from the Shiv Sena, head of Samajwadi Party Akhilesh Yadav, Raghav Chadha from AAP, General Secretary of the Communist Party of India Sitaram Yechury and journalists like Siddharth Varadarajan of The Wire and India President of the Observer Research Foundation (ORF) Samir Saran received the update from Apple.

The iPhone maker confirmed it had sent the threat notifications, but clarified later that it hadn’t named the Indian government in its nor if the hacking attempts were a success. A spokesman later hastily stated that the company “does not attribute the threat notifications to any specific state-sponsored attacker,” to avoid from falling into a political soup.

“State-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time. Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected. We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behaviour to evade detection in the future,” the notice issued by the company said.

IT Minister Ashwini Vaishnaw said that the government if concerned about the matter and has ordered an investigation while also steering off allegations calling Apple’s warning “vague” and merely “estimations.”

The proliferation of iPhone hacks has been worrying for Apple as much of its brand stands on privacy.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

What is Apple doing about it?

Days after the vulnerability was found Apple released security updates patching two zero-day exploits, meaning hacking techniques that were unknown when Apple found out about them.

There’s another method that the Tim Cook-led company released in August 2022 as an “extreme” level of defense against sophisticated spyware like Pegasus, called Lockdown Mode. Under this, Apple users can temporarily swich off some of the most-abused device features to make it harder for spyware to get through. It blocks contact from people the user doesn’t know and switches off link previews in text messages.

On October 27, Apple’s Security Engineering Architecture team released a blog announcing another advancement in iMessage security called Contact Key Verification, which helps users to verify that they’re messaging with only whom they intend.

For this, each device in a user’s iMessage account generates its own set of encryption keys and the private keys can’t be exported to any external system. The feature is available in the developer previews of iOS 17.2, macOS 14.2 and watchOS 10.2.

What is the Pegasus hack?

The incident is reminiscent of the time when the central government was accused of using Pegasus spyware for surveillance on journalists, academics and opposition leaders in July 2021. The New York Times had then reported that Prime Minister Narendra Modi had bought Pegasus as a part of a bigger weapons deal but Indian politicians never admitted to using it.

Created by Israeli company NSO Group, Pegasus was marketed as a product which could be sold only to governments to prevent crime and terror acts. The targets could be fooled into a “zero click” install of the software which then allows the bug to bury itself into the phone.

Researchers have said that a zero-click exploit is a vulnerability which allows the software to infect a user’s phone through a previously unknown security flaw in its operating software, without needing the user to click on a malicious link.

Once the phone is infected, the infiltrator has complete access to the phone including encrypted messages on WhatsApp or Signal. It can also turn the user’s phone into a listening device by manipulating its recorder.

The spyware keeps making a return to headlines with evidence piling up of its misuse in countries like Mexico, UAE, Saudi Arabia and Rwanda aside from India. The recent spate of Pegasus attacks prompted the Biden administration to blacklist NSO in 2021. It is also currently being sued in a lawsuit filed by Apple and WhatsApp.

Just last month, an anonymous individual working with a Washington DC-based civil society organisation with foreign offices was reportedly targeted using Pegasus.

Need for updated laws

In 2017, the Indian Supreme Court declared privacy as a fundamental right in 2017 on the basis of Article 21 of the Indian Constitution. But the caveat was that the right to privacy could be overridden by “state interests” or lawful interception.

Other laws around surveillance like The Indian Telegraph Act and the Information Technology Act were all made much before spyware existed. Not much has changed since.

Kazim Rizvi, the co-founder of public policy think tank ‘The Dialogue’ underlined the need for stronger data protection and surveillance laws.

“Surveillance is essential for safeguarding national security. However, it is important to bring in adequate oversight, both parliamentary and judicial, to provide room for discretion, and to ensure the principle of separation of powers is followed.

The UK has the Intelligence and Security Committee of Parliament, formed under the Intelligence Services Act 1994, to oversee the policies, expenditure, administration and operations of various agencies. A similar mechanism is followed by the United States, where the US Congress monitors law enforcement agencies and intelligence agencies, and there are no statutory restrictions on information access,” he said.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.