Apple warns senior politicians in India are being surveilled

Apple has warned a host of opposition politicians in India that they may have been targeted by state-sponsored attackers. It has not named the state concerned, and India’s government has ordered a probe into the matter.

State-sponsored attackers may be targeting your iPhone

The note, shared by message and email, warns the attacks are likely taking place because of what the target individuals do, and advises them to apply Lockdown Mode to their devices. One warning was sent to the leader of India’s main opposition party, Rahul Gandhi.

The text/message begins with the warning, “ALERT: State-sponsored attackers may be targeting your iPhone.” It then makes a series of recommendations, including the application of Lockdown Mode – you can read one of these notes here.

“Shashi Tharoor, a key figure from the Congress party; Akhilesh Yadav, the head of the Samajwadi Party; Mahua Moitra, a national representative from the All India Trinamool Congress; Priyanka Chaturvedi of Shiv Sena, a party with notable influence in Maharashtra reported that they too had been notified by Apple regarding a potential security attack on their iPhones,” said TechCrunch.

A real risk environment

We know that state-sponsored attackers have made use of zero-day attacks (attacks that are as yet unknown to Apple) to undermine device security.

To gain make these attacks, criminals and nation states pay millions of dollars for exploits they then use to make them. These vulnerabilities are abused by semi-private surveillance as a service outfits such as NSO Group or Paragon. Attacks from the latter also make use of zero-click attacks, which don’t even need the user to do anything to surveil the device.

Apple fights back

Apple has been fighting back against such attacks for years, and has made a determination that when it thinks it detcts such attacks it will warn those being attacked.

“State-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time. Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected. We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behavior to evade detection in the future,” Apple explains.

If Apple discovers activity consistent with a state-sponsored attack, it takes these actions:

• A Threat Notification is displayed at the top of the page after the user signs into apple.com.
• Apple sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.