A profile covering Apple’s Paris-based efforts to break its own security shows the lengths the iPhone maker will go to prevent tools like Pegasus from accessing vulnerable users’ data.
In the face of threats such as Pegasus and attempted hacks by state actors, Apple has been forced to step up its security measures over the years. As well as trying to keep iOS and its other operating systems secure, this has also led to efforts such as the introduction of Lockdown Mode and warnings to potential hacking targets.
The profile of Apple’s security work by the Independent detailed some of Apple’s attempts to respond against threats targeting journalists, activists, and people involved in politics. While software is the most obvious arena for APple’s work, a lot of it also occurs to hardware.
Work being carried out by Apple engineers in Paris, including against yet-to-launch hardware, involves using various kinds of technology to defeat device security. These attempts include using lasers and other “finely tuned sensors,” due to the need to make the hardware as secure as possible before release.
The rationale is that, while software can be updated with security fixes, devices cannot undergo the same process short of a physical exchange. The testing tries to determine if there are ways the hardware itself can betray security inadvertently, and to eliminate these weaknesses.
Apple’s Paris engineers are described in the report as “perhaps the most highly capable and well resourced hackers” of Apple hardware in the world. In turn, Apple said it believes its work is succeeding, but campaigns to break that security only forces more security processes to be used.
A continuing digital arms race
Ivan Krstic, Apple chief of security engineering and architecture, said “I think what’s happening is that there are more and more avenues of attack. And that’s partly a function of wider and wider deployment of technology.”
With more technology in use, “that is creating more opportunity for more hackers to come forward to develop some expertise to pick a niche that they want to spend their time attacking,” Krstic offers. Data breaches have exploded in the last decade, with more than triple the number of attacks between 2013 and 2021.
“During the same amount of time, a number of other attackers have been pursuing new kinds of attack, or different kinds of attacks – against devices, against Internet of Things devices, against really anything that is connected in some way to the internet.”
Krstic believes “the nature of the fight for security is to keep pushing the defenses forward to keep trying to stay one step ahead of not just where the attacks are today, but also where they’re going.”
There are two justifications for investing heavily in security, Krstic tells the report. One is that, since current sophisticated attacks could percolate down and become more widely available, the need to understand such threats gives the chance to build defenses against later variants.
Even so, this is the smaller of the two reasons, Krstic reckons.
“When we look at how some of this state grade mercenary spyware is being abused, the kinds of people being hit with it – it’s journalists, diplomats, people fighting to make the world a better place. And we think it’s wrong for this kind of spyware to be abused in this way. We think that that those users deserve trustworthy, safe technology, and the ability to communicate safely and freely, just as all our other users.”
To Krstic, this was “not a business decision. It was doing what’s right.”
In cases where Apple may be going against governments or major agencies, Krstic takes the view that Apple isn’t fighting such entities with its work. “But we do see ourselves as having a duty to defend our users from threats, whether common or in some cases, truly grave.”
The interview touches briefly upon sideloading and Apple’s Digital Markets Act headache about other app stores. While the European Commission intends it to make competition fair and giving users more choice, Krstic disagrees strongly.
The idea of giving people more choice, whether to use third parties or to stay with the App Store’s protections, is a false proposition, believes the security chief.
“The reality of what the alternative distribution requirements enable is that software that users in Europe need to use – sometimes business software, other times personal software, social software, things that they want to use – may only be available outside of the store, alternatively distributed,” Krstic states.
“In that case, those users don’t have a choice to get that software from a distribution mechanism that they trust. And so, in fact, it is simply not the case that users will retain the choice they have today to get all of their software from the App Store.”