Reports of Pegasus spyware attacks on Bahraini activists' iPhones heightened fears of unscrupulous, wide-scale security breaches, particularly using such a personal communications device like a smartphone.
Citizen Lab's revelation of Pegasus "zero-click" attacks on the activists is certainly shocking and disturbing. This means a government agency or any entity could pry on phones at will by simply purchasing and deploying commercial malware such as Pegasus. Such spyware even needs no interaction with hacking the victim, like clicking links or granting permissions, to proceed with the attack.
Pegasus 'Zero-Click' Attack Proves Apple's Efforts Against iPhone Breaches Are Not Working
But while this is a condemnable act, which the Bahraini government quickly denied, such "zero-click" breaches are prevalent and can be carried out on any platform. But with Citizen Lab's report of a string of hacks on iPhones, particularly in taking advantage of IMessage vulnerability, it seems Apple's efforts in preventing these attacks are not working.
Apple attempted to address such zero-click attacks on iMessage by adding a security tool called BlastDoor, which filters malicious code from reaching the messaging app, to iOS 14. It would weed out all those questionable components before they could affect the entire OS. However, despite BlastDoor's existence, zero-click attacks continue to persist, proving that Apple has not succeeded in preventing interaction-less hacks from happening.
Apple Vows Stronger iMessage Security, Better Protection in iOS 15
Apple has yet to make a statement on the latest zero-click breach, but a spokesperson told Wired Magazine that the company will further strengthen iMessage security on top of BlastDoor, with new, better protection in iOS 15--which is set for release next month. No further details were given on these new security features amid the seemingly unpreventable zero-click hacks.
Pegasus exploiting iMessage is quite expected, given how the app's features and interconnectivity with the iOS make it an enticing vehicle for zero-click breaches. These offer a window of opportunity for hackers to discover flaws they could exploit. Since the increase of zero-click attacks on iMessage a few years ago, it is quite obvious that Apple doesn't only needs to filter malicious code, but also has to do some overhaul in the app's architecture--which is definitely not forthcoming soon.
Suggestions for Apple to Protect At-Risk Users from Zero-Click Attacks on iMessage
Given this, Wired suggested that Apple could provide special settings so that at-risk users can opt to lock down the iMessages app on their iPhones. Doing this would include choosing to block untrusted content, such as images and links, and prompting the user before accepting messages from people not in their contact list. Apple could also allow users to disable iMessage entirely to keep the device safe.
These may not be appealing for avid users, but if it would mean better defense against zero-click attacks, such options would definitely be worth it.
