❈ ❈ ❈
Apple Alert: Threat Notifications Strike at Heart of Indian Democracy, Says Apar Gupta
Newsclick Report
As the list of Opposition leaders, journalists and others, going public about getting Apple alerts of their iPhones, warning about ‘State-sponsored attack’ possibilities, Apar Gupta, and advocate and founder director of the Internet Freedom Foundation, has called for full disclosure by the Indian government of its spyware purchases and deployment.
“This issue strikes at the heart of Indian democracy,” he said, noting the fact that the timing of these notifications, ahead of the ensuing Assembly elections was indeed “alarming”.
On Tuesday morning, several Opposition leaders of the INDIA bloc tweeted on X scheenshots of Apple alerts, cautioning them against ‘State-sponsored attacks” on the iPhones. Congress leaders Shashi Tharoor, K C Venugopal and Pawan Khera, Samajwadi party’ chief Akhilesh Yadav, CPI(M) general secretary Sitaram Yechury, NCP’s Supriya Sule, Trinamool Congress MP Mahua Moitra , Shiv Sena (UBT) MP Priyanka Chaturvedi, senior journalists Siddharth Varadarajan and Sriram Karri are among those who received the Apple alerts.
The full X post by Apar Gupta on the threat notifications and their implications for India’s democracy ahead of the elections is published below:
These threat notifications are due to state sponsored attacks that use spyware such as Pegasus to infect their smartphone. As per Apple, “Apple threat notifications are designed to inform and assist users who may have been targeted by state-sponsored attackers. These users are individually targeted because of who they are or what they do. Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent. State-sponsored attacks are highly complex, cost millions of dollars to develop and often have a short shelf life….State-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time. Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected.”
Let me directly address the naysayers. Are these merely ‘false alarms’? Let’s consider the evidence:
Firstly, reports indicate that India has been a ground for deploying Pegasus spyware by NSO Group, an Israeli firm. In October, 2019, state attackers targeted activists, and in July, 2021 they extended their reach to public officials and journalists.
The Union Government has not clearly denied these activities in the Supreme Court of India. Moreover, investigations by Amnesty, Citizen Lab, and notifications from WhatsApp corroborate its use, suggesting a pattern in India and a matching victim profile.
Secondly, Access Now and Citizen Lab last month have confirmed the validity of Apple’s threat notifications sent to Russian journalists, including Meduza’s publisher. These confirmations lend high credibility to such notifications.
Thirdly, Financial Times disclosed in March that India is seeking new spyware contracts starting at approximately $16 million and potentially escalating to $120 million in the next few years. These contracts involve companies like the Intellexa Alliance, recently featured in a report called ‘The Predator Files’.
With imminent state assembly elections and the 2024 general elections not far off, the timing of these threat notifications is alarming.
Public cynicism or judicial stupor should not preclude us from demanding an independent, transparent technical analysis and clear disclosures from the Government of India regarding its spyware purchases and deployments. This issue strikes at the heart of Indian democracy.”
❈ ❈ ❈
Interview: What Does Apple’s Warning of ‘State-Sponsored Attack’ Mean for Ordinary People?
Meetu Jain interviews Apar Gupta
[On Monday (October 30) night, nearly two dozen people in India – mostly opposition politicians and some journalists – received an alert from Apple saying that their iPhones may have been targeted by “state-sponsored attackers” who are trying to remotely compromise their devices. The notification reignited the conversation about government misuse of spyware, even as the government went into damage control mode following the alert to users.
The Wire spoke to Apar Gupta, advocate and founding director of the Internet Freedom Foundation (IFF), about the alert and what it means for smartphone users in India.]
Meetu Jain: How would Apple have discovered this attack by “state-sponsored” actors?
Apar Gupta: Apple, when it manufactures a phone, also takes responsibility for the security and privacy of its operating system, iOS. After the rise in spyware attacks across the world over the past few years, Apple introduced a feature that would alert a user if there was a state-sponsored hacking attempt through a threat notification. Apple has teams that look at such [attempts and then to provide] threat notifications.
MJ: Would you call this a zero-day attack?
AG: A zero-day attack is when a vulnerability is secretly known to a threat actor which is then shared to a third party – that may be a company or the state – and by [exploiting] this vulnerability, they can install software secretly into your smartphone or take data secretly from your phone without your knowledge.
I don’t know whether this is a zero-day attack or a vulnerability that has been documented earlier. It could have exploited vulnerabilities in an application that was installed in iOS or a vulnerability within iOS. That level of specificity is not available in the threat notification because. Apple states that the attack was from a state-level actor. It did not disclose or give further information because that information will help state actors to exploit that vulnerability or change their working methods to get back into the phone.
MJ: So if there is an attack on a wider scale, Apple will come to know about it?
AG: To say that if it happens, Apple will certainly get to know is not correct. Apple may not get to know. But when it gets to know, it notifies the user.
MJ: Notifications like these have gone to 150 countries since Apple’s Threat Notifications feature began in November 2021. Is state-sponsored surveillance an expensive affair or can it be done by a solitary hacker using, for instance, just a laptop?
AG: The last known incident, in which public disclosures exist, was concerning the NSO Group, the Israeli company, that sold the [Pegasus] spyware software to multiple governments across the world. Sales of this software [were worth] hundreds of crores [of rupees], [based on information from] a contract between the NSO Group and the government in Uganda which was submitted in a US court by WhatsApp as part of a case. Then, one of the infection patterns was a zero-day attack on a vulnerability that existed in WhatsApp, which allowed the NSO Group to infect a person’s Android or iOS device through a missed call. This was used by multiple governments all over the world to install Pegasus on the phones of journalists, opposition politicians, human rights defenders and activists.
As per reports, it was also used in India. There has been a lack of information and disclosure [in India], even after a court-appointed inquiry put questions to the government of India on whether it utilised the Pegasus software, how much was used, and whether it entered into a contract with NSO Group. But we can on the basis of information in the public domain or reports by the Wall Street Journal and Financial Times, gather that it involved hundreds of crores of rupees.
If this notification has been sent by Apple to 150 countries, it also shows it may be other companies like another Israeli company called Intellexa Alliance, which also has the Predator spyware, which uses a common vulnerability on iOS devices. It may have sold software to multiple governments across the world.
MJ: But this is conjecture.
AG: How is it conjecture? Amnesty released a report in early October which showed the modus operandi of Intellexa’s Predator software. Yet, we cannot to a high level of certainty establish that this Apple notification relates to Intellexa Alliance.
What I am trying to say is that multiple companies exist all over the world which sell spyware technologies to governments. These are expensive, sophisticated products and are used by governments quite often these days against people who are critics of the regime.
MJ: So it requires expensive software to carry out these kinds of “state-sponsored” attacks. One techie, however talented, cannot do this on her own. It requires a system in place and a lot more than one or two people carrying out this attack.
AG: Yes, the contract also comes with the installation of hardware, access to internet lines, and contractors who then provide service management. There is a separate service management contract and this model comes through, again the disclosures made by WhatsApp when it filed a case against the NSO Group, which show it is expensive because it is not just software that is being sold. It is a licenced software which means that for each person you want to target, there is an additional cost.
MJ: In India, a majority of users are Android users, almost 95%. Android never sends out these kinds of alerts because the engineering of Android phones is very different from Apple. Can you explain how?
AG: I wouldn’t be able to speak about this authoritatively. My expertise is not in the technical evaluation of software.
MJ: What should users be doing to keep their phones safe?
AG: The first thing to take into account is that sophisticated spyware will not be planted on people at a mass scale. These are highly sophisticated attacks, but the injury that occurs to the ordinary Indian is because a representative who is in parliament may be compromised and may not be able to fulfil their functions because of spyware attacks. That’s the real injury for most people.
As opposed to the conventional cybersecurity story, where you may want to take direct steps to protect yourself, for most ordinary Indians, what they should be concerned about [in this case] is that the people who give them the news [journalists] and people who represent their democratic interests and question the government [opposition parliamentarians] are being threatened and placed in fear due to repeated spyware attacks on their phones.
Secondly, if a person does receive a threat notification from Apple, the company provides a list of steps which people should take and some steps they should not. The first is they need to verify the notification by logging into their Apple accounts and ensuring their authenticity. Secondly, Apple will never at the time of notification, ask for additional information. Third, they have a special mode called the lockdown mode.
However, in previous instances of spyware infections, the advice commonly given by security researchers, which may cause economic hardship to most people, was to change their smartphones because these are very sophisticated software which may not be removed by a simple reboot or wipe.
MJ: Even ordinary people may fear being spied upon. Can you suggest five things for Android users that they can do to keep safe?
AG: For most people, I would say they need to be careful when installing applications. So, if you are installing something like a flashlight app and giving it all permissions, then it can use the data for purposes which may not be to your expectations. So it all starts with data collection and people need to be a bit more careful.
(Courtesy: The Wire.)
❈ ❈ ❈
The Most Dangerous Software Known to Humankind
Paranjoy Guha Thakurta
Book Review
Laurent Richard and Sandrine Rigaud
Pegasus: The Story of the World’s Most Dangerous Spyware
Macmillan, 2023
Palestine and Israel continue to dominate the news cycle. Then one learns that several Members of Parliament and leaders belonging to political parties opposed to the ruling regime in this country, those working in the office of Rahul Gandhi, a few individuals apparently on the other side of the divide, not to mention a few journalists, including Siddharth Varadarajan, one of the founding editors of The Wire, Anand Mangnale and Ravi Nair of the Organised Crime and Corruption Reporting Project (OCCTP), have all been “alerted” by Apple:
“State-sponsored attackers may be targeting your iPhone… These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone.”
If you thought iPhones were more secure than cellular mobile phones with the more commonly-used Android operating system, you are wrong.
Is there anything common between Israel and the alert issued by Apple? Answer: Yes.
Named after a mythical winged horse from Greek mythology, Pegasus is one of the world’s most powerful cyberweapons. To say that Pegasus is the nuclear bomb of computer software would be an understatement. It is zero click-bait. In other words, the person who uses a mobile phone does not have an iota of an idea if, how, when and where their phone has been infected by this spyware. Earlier, one would have to click on a link to enable malware to enter the phone. Technology has “progressed” at a phenomenally rapid pace.
The privately-owned Israeli company called the NSO Group that developed the world’s most dangerous surveillance tool claims that it is used for law-enforcement: for nabbing terrorists, drug dealers, paedophiles, tracking drones and even finding people trapped in the rubble of a collapsed building. But this spyware – and its clones and imitations, including one named Predator – that is supposedly made available only to government law-enforcing agencies after due authorisation by the Israeli government, is also misused by regimes across the world, especially authoritarian ones. Only governments, and perhaps indirectly a few big business groups, can shell out the big bucks needed for the targeted deployment of Pegasus. Although Tel Aviv claims that the spyware is sold only to government bodies and NSO denies its unauthorised use – this argument is what Laurent Richard and Sandrine Rigaud’s book Pegasus: The Story of the World’s Most Dangerous Spyware seeks to dispute and demolish.
The crucial question that logically arises in the context of what’s currently going on is, why Israel’s military forces could not anticipate the attack by Hamas on October 7, despite having developed the most advanced spyware. This question remains unanswered.
To go back to Pegasus, the fact is that this spyware has been, and almost certainly continues to be, misused to track not just the political opponents of those in power in several countries, but also those within their respective governments who the rulers want to keep an eye on. Pegasus has been used to listen in to, read and view conversations, text and audio messages as well as videos over electronic mail and text communications on the mobile phones of quite a few heads of governments. For example, the royalty of Morocco used the spyware to snoop on top functionaries of the government of France as well as dissidents. The most widespread use of Pegasus is to track politicians, journalists, lawyers, judges, government officials and human rights activists.
This is what this book is all about. It has been written by two journalists who work with the Paris-based Forbidden Stories, which received a data leak of some 50,000 phone numbers on which Pegasus had apparently been used. Amnesty International was first roped in as a collaborator. Thereafter, the numbers were shared with more than 80 journalists working in 17 media organisations across the world, including The Wire in India. Those willing to have the innards of their phones forensically examined after extracting data from their personal devices, saw the information being scrutinised by technical experts in Europe and in Canada (at the Citizen Lab). The book details the elaborate way the global investigation was conducted over more than three months and finally made public in a coordinated manner in July 2021.
What makes the 318-page book extremely readable is that it is written in a racy style and filled with many anecdotes and accounts of the personal experiences of individuals. These include many heart-rending, real-life stories of people who were killed, their families devastated and how innocent people were harassed, tortured and incarcerated merely for doing their jobs in earnest – that is, exposing corruption in high places, abuses of power and the nexus between criminals and top government officials. The stories in the book are not just about death and destruction but also about amazing courage and fortitude. The way the researchers and technical experts behind the investigation went about doing their work in digging up the dirt about Pegasus are recounted in gripping detail.
■ ■
Before proceeding further, a personal disclaimer is in order. Besides the founding editors of The Wire Siddharth Varadarajan and M.K. Venu, this reviewer is among those whose phones were forensically examined and who are named in the book at many places. I am also among those who have petitioned the Supreme Court of India in this connection. Whereas several governments in different countries have initiated probes into allegations of misuse of the spyware, the government of India has brazenly stonewalled attempts to disclose whether it has used Pegasus, that too despite the intervention of the country’s highest court. Not only does the government’s stance suggest that it has much to hide, the Supreme Court too hasn’t exactly covered itself with glory because of the tardy way in which it has acted – or rather, not acted.
On October 27, 2021, the Supreme Court had formed a committee headed by retired Justice R.V. Raveendran, with two members assisting him: Alok Joshi, former director of the government’s external intelligence agency the Research and Analysis Wing (RAW) in the Cabinet Secretariat and 1976 batch officer of the Indian Police Service; and Sundeep Oberoi, chairman of the sub-committee of the International Organization of Standardization, International Electro-Technical Commission and Joint Technical Committee. The committee was supported by another panel of three technical experts: Naveen Chaudhary, a professor of cyber security and digital forensics at the National Forensic Sciences University, Gujarat; Prabaharan P., professor, Amrita Vishwa Vidyapeetham, Kerala and expert on cyber security; and Ashwin Anil Gumaste, professor, department of computer sciences and engineering, Indian Institute of Technology, Bombay.
A day before the then Chief Justice of India N.V. Ramana retired on August 26, 2022, he observed in court that the government of the day had not cooperated with the committee he had appointed. He remarked: “We will say one sentence — the government did not cooperate with the technical committee on scrutiny of the devices for Pegasus spyware.”
He was that day presiding over a three-judge bench comprising Justices Surya Kant and Hima Kohli. He opened the voluminous report in three parts in court and the judges went through it quickly. The CJI said the technical committee had examined 29 phones and found malware in five of them but could not state if the malware was Pegasus. He said the Raveendran committee’s report would be uploaded on the website of the Supreme Court but the technical committee’s report would be uploaded after redacting portions as committee members had requested that personal data not be disclosed.
CJI Ramana said the Raveendran committee had recommended changes in the existing law on surveillance and also suggested that the protection of privacy be enhanced “along with the cyber secrecy of the nation”. The CJI said the committee’s recommendations and observations could be made public.
The bench stated: “Such a course of action taken by the Respondent Union of India, especially in proceedings of the present nature which touches upon the fundamental rights of the citizens of the country, cannot be accepted…The mere invocation of national security by the State does not render the Court a mute spectator.”
Earlier, when CJI Ramana had asked the Solicitor General of India Tushar Mehta representing the government to answer a straight question – has any agency of the Indian government purchased and used Pegasus – the latter refused to answer “yes” or “no” ostensibly on the ground that the answer would adversely affect “national security interests”. This was how brazen the government’s response was. But worse was to follow.
After the Raveendran committee and the technical committee submitted their reports in a sealed cover, and despite CJI Ramana’s observations in court, late at night on August 25, 2022, the Supreme Court decided to “re-seal” the report of the Raveendran committee and keep in the “safe custody” of the Secretary General of the court. The legal website The Leaflet commented: “The decision to keep the two reports under wraps, despite the CJI’s oral commitment to upload them on the Supreme Court’s website, disappointed those who expected some degree of transparency from the highest court.”
The case was supposed to be heard after four weeks. But more than 13 months have gone by and nothing has happened. Meanwhile, curiously, the depositions that were video-graphed (of various individuals, including Varadarajan and me) and made available on the publicly-available website set up by the inquiry committee, cannot be accessed at present.
■ ■
To return to the book by Ricard and Rigaud, the particularly gripping stories are not just about Jamal Khashoggi, the Washington Post columnist and occasional critic of the royal family of Saudi Arabia (in particular, Mohammed bin Salman or MBS) who was allegedly complicit in engaging certain persons who cut Khashoggi’s body into pieces in October 2018 inside the Saudi consulate in Istanbul, Turkey. Pegasus was apparently deployed to track his fiancé and his lawyers even as he entered the consulate.
Equally gripping are the stories of journalists from Mexico, some of whom are no more. The murder of 39-year-old journalist Cecilio Pineda remains unsolved, as is the unnatural death of Regina Martinez of Prosco. Both exposed the working of the drug mafia whose members bribed and colluded with local government officials and police personnel. The phone of another investigative journalist, Jorge Carrasco was apparently compromised by Pegasus even as he continued to probe the circumstances of the deaths of his fellow journalists.
The book diligently documents not just the ghastly consequences of state surveillance on individuals but juxtaposes these with stories of resistance and courage. The examples of brave journalists, Khadija Ismayilova of Azerbaijan, and Bastian and Frederik Obermaier of Hungary, provide silver linings of hope in the dark clouds of dictatorship and authoritarianism.
Out of the 50,000 odd phone numbers that were “leaked” to Forbidden Stories (perhaps by an NSO insider), over 1,000 numbers in some 50 countries were found to have been allegedly infected by Pegasus after verification with multiple sources. Among these numbers were those that belonged to three presidents, ten prime ministers, one king, two Emirati princesses (no prizes for guessing their names), at least 600 politicians and government officials, 192 journalists, and 85 human rights activists and lawyers.
Let me anticipate a reaction to this review from supporters of the BJP and those who are part of the right-wing ecosystem, an instance of “whataboutery”. If Pegasus has indeed been misused across the world, what’s new about what is happening in India? Small consolation then?
Be that as it may, there is much in the book about how the international operation to ensure that 80 journalists working in 17 media organisations across the world, were persuaded to keep the entire investigation under wraps for many months, that is, before detailed questionnaires were e-mailed to NSO in Israel. The book ends soon after July 2021 when the stories were published in a coordinated manner over more than a week. I think it’s time for Ricard and Rigaud to publish a revised, enlarged edition of the book. Check out the many dozens of Indians whose names were disclosed in the series of articles published by The Wire that month.
One last remark. Why have I repeatedly used the word “allegedly” in this review article? The reason is simple: traces of Pegasus are very, very difficult to find. To understand how difficult this process is, read the book.
(Paranjoy Guha Thakurta is a Delhi-based journalist. He is the co-author (with Ravi Nair) and publisher of ‘The Rafale Deal; Flying Lies? The Role of Prime Minister Narendra Modi in India’s Biggest Defence Scandal’. Courtesy: The Wire.)
