14 DAY TRIAL // Apple devices are once again targeted by a hacking solution developed by an Israeli company, but this time it looks like the spyware can even extract user data stored in iCloud.
Most hacking tools aimed at iPhones have until now been focusing on data stored on the device, without capabilities to connect to iCloud and download the files located there.
A report published by FT reveals that the hacking software is called Pegasus and is developed by Israeli firm NSO Group. It’s believed to be sold only to governments to help with criminal investigations, but as usual, there are worries that others could get their hands on it as well.
The application uses a system similar to a man-in-the-middle attack, basically trying to trick iCloud that it’s the device itself that’s trying to access stored data. It can clone authentication tokens that iPhones used to access iCloud and then load files, providing users controlling it with easy access to everything stored inside an account.
This means that not only photos, videos, and messages are being exposed, but also backups created by other apps. Apps like Facebook and WhatsApp can create backups that are stored in iCloud, so Pegasus would be able to read them all.
Android devices exposed too
According to the cited source, because of the way it works, which involves making iCloud authentication systems believe they’re communicating with the actual device, Pegasus doesn’t require any two-factor verification bypasses, as such prompts aren’t generated in the first place.
iPhones and iPads aren’t the only ones exposed to hacks with Pegasus, as Android devices and even laptops could also be hacked with this software to access both local and cloud data.
In a statement for FT, Apple played down the hacking solution, explaining that while it may exist, only a small number of devices are targeted. The company hasn’t said anything about a potential patch for the vulnerability that’s being exploited by Pegasus.
“Some expensive tools may exist to perform targeted attacks on a very small number of devices, we do not believe these are useful for widespread attacks against consumers,” it said.