Apple Spyware Victims: Security Lab Assistance

Cybersecurity Concerns and Apple's Response to Spyware

Prior to recent elections, the cybersecurity team supporting U.S. Vice President Kamala Harris’s campaign contacted Apple requesting assistance. This followed the detection of anomalies on two campaign staffers’ iPhones by a spyware detection tool.

Apple ultimately declined to conduct a forensic analysis of the devices, a decision that doesn’t surprise those working to defend digitally vulnerable groups.

Apple's Notification System

Over the past several years, Apple has been proactively issuing notifications to individuals potentially targeted by government spyware. These alerts inform users they may have been compromised and direct them toward resources for assistance.

Notably, Apple directs these individuals to the nonprofit organization Access Now, which operates a digital helpline for those in civil society who suspect government surveillance, rather than its own security engineers.

A recent alert shared with TechCrunch reads: “Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple Account.” The alert emphasizes the seriousness of the threat, stating it’s likely targeted due to the user’s identity or activities.

While some might view this as a relinquishment of responsibility, cybersecurity professionals specializing in protecting human rights advocates, journalists, and dissidents largely support Apple’s approach.

The Impact of Apple's Alerts

“These notifications have been a game changer for spyware accountability research,” stated John Scott-Railton, a senior researcher at the Citizen Lab at the University of Toronto.

Scott-Railton observed that many significant cases, including those in Poland and Thailand, originated with an Apple notification.

For spyware investigators, the introduction of these notifications marked a pivotal moment. Previously, identifying potential targets was a challenging task, according to Natalia Krapiva, legal counsel at Access Now.

“I think it’s one of the greatest things that’s happened in the sphere of this kind of forensic investigations and hunting of sophisticated spyware,” Krapiva explained to TechCrunch.

When a user receives an Apple notification, they are alerted to potential anomalous activity on their device and advised to seek help. Apple specifically directs them to Access Now’s helpline, which Scott-Railton believes provides effective triage and support.

Access Now’s helpline has received 4,337 requests in 2024 alone, staffed by a team of over 30 individuals and supported by other departments within the organization.

The Role of Forensic Investigation

Scott-Railton, Krapiva, and Runa Sandvik, a digital security consultant, all concur that Apple should refrain from conducting individual investigations following notification of potential attacks.

“Big tech companies don’t want to get into the business of doing forensics on people’s devices or accounts,” Sandvik stated. “I think that should remain separate.”

Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, suggests Apple could enhance its efforts by producing more detailed reports and initiating legal action.

“These are the things that take massive amounts of money NGOs don’t have and telemetry NGOs don’t have,” Galperin told TechCrunch.

Apple's Ongoing Commitment

According to Apple’s official page on mercenary spyware, updated in October, the company has sent notifications to users in over 150 countries since 2012.

Apple spokesperson Nadine Haija emphasized the company’s dedication to protecting its users, stating they sympathize with the small number affected and continue to work tirelessly to safeguard them.

Haija reiterated that there are currently no known instances of successful spyware infections on Apple devices utilizing Lockdown Mode.

Lockdown Mode and Protective Measures

Apple advises those who receive a notification to update their iOS software and all applications. The company also recommends enabling Lockdown Mode, a security feature that restricts device functionality to mitigate potential exploits.

Apple asserts it is unaware of any successful spyware infections targeting users with Lockdown Mode activated.

Scott-Railton described Lockdown Mode as “a game changer in increasing the security of people’s devices, especially people who are at risk.”

Experts unanimously recommend activating Lockdown Mode if you suspect you may be a target, particularly if you are a journalist, human rights advocate, or political dissident.

Receiving a notification from Apple should be taken with the utmost seriousness.