Amnesty International has reported a security flaw in HomeKit that was exploited to target the iPhones of Serbian journalists and activists.
This civil rights organization launched an investigation after Apple informed two individuals that their devices had been infiltrated by Pegasus spyware.
Detection of NSO’s Pegasus Attacks by Apple
NSO Group is known for developing the spyware named Pegasus, marketed to governmental and law enforcement bodies. The company obtains zero-day vulnerabilities (those unknown to Apple) from hackers, enabling its software to execute zero-click exploits—where the target user does not need to interact with their device.
Reports indicate that merely receiving a specific iMessage—without any need to open or respond to it—could compromise an iPhone and expose personal information.
Currently, iOS actively monitors iPhones for indications of Pegasus attacks, with Apple notifying device owners when threats are detected.
Confirmation of Hacks by Amnesty
According to Amnesty, the initial victims followed Apple’s guidance on seeking assistance, which allowed the organization to confirm the hacking incidents.
Two activists linked to notable Serbian think-tanks received alerts from Apple regarding a potential “state-sponsored attack” on their devices. They subsequently contacted the SHARE Foundation in Belgrade, which collaborated with Amnesty International and Access Now to perform separate forensic examinations of the affected iPhones […]
The technical and forensic analysis conducted by Amnesty International has confirmed that both individuals were indeed targeted by NSO Group’s Pegasus spyware.
Subsequent victims were also identified.
Exploitation of HomeKit to Facilitate Attacks
Amnesty discovered that a vulnerability in HomeKit was leveraged to execute these attacks.
The two devices were attacked within minutes of one another using two different iCloud email addresses controlled by the attackers. Amnesty International associates both of these accounts with the Pegasus spyware system. The organization has repeatedly observed similar iCloud accounts being utilized to dispatch zero-click Pegasus assaults through iMessage […]
The evidence of spyware targeting through Apple’s HomeKit mirrors the attack methods already seen in other NSO Group Pegasus incidents noted by Amnesty International’s Security Lab during that timeframe.
Moreover, the Security Lab confirmed that a different group of individuals in India, who also received alerts from Apple during the same notification round, were targeted by NSO Group’s Pegasus in August 2023. The devices in India exhibited signs of similar HomeKit exploitation prior to the complete Pegasus exploit being transmitted via iMessage.
Specifics about the HomeKit vulnerability have not been disclosed, likely because Apple is still in the process of addressing it.
Compromise of Android Phones
Android devices were similarly compromised during the attack. Additionally, Cellebrite technology was employed to install surveillance software on these locked devices after victims approached law enforcement to report crimes—likely orchestrated by state personnel to escort them into police stations.
This method relied on an Android vulnerability and, as a result, was not applicable to iPhones.
Source: 404 Media. Photo by Patrick Campanale on Unsplash.
: . More.
