tl;dr
Recently, Apple cautioned several iPhone users of ‘state-sponsored attacks’ that they are likely being targeted for, sparking speculations about state actors wanting to hack and remotely manipulate the mobile phones of certain opposition leaders and journalists. Read our short statement on the threat notification here. As CERT-In launches a probe on the notification, we write in, highlighting key considerations and historical baggage that should inform the investigation.
Background
On October 30, 2023, Apple sent a threat notification to the mobile phones of opposition leaders, journalists, and researchers in India, which read “state-sponsored attackers may be targeting your iPhone”. The notification was sent to multiple opposition leaders including Mahua Moitra, Mallikarjun Kharge, Raghav Chadha, KC Venugopal, Sitaram Yechury, Asaduddin Owaisi, Priyanka Chaturvedi, Shashi Tharoor, TS Singhdeo, Revanth Reddy, Pawan Khera, Supriya Shrinate, Akhilesh Yadav, and several journalists and researchers including Siddharth Varadarajan (The Wire), Sriram Karri (Deccan Chronicle), Ravi Nair and Anand Mangnale (OCCRP), and Samir Saran (ORF). The Union Government has asked the Ministry of Electronics and Information Technology’s (“MeitY”) Computer Emergency Response Team (“CERT-In”) to launch a probe into the threat notification. IFF wrote to CERT-In, requesting the team to conduct a holistic investigation with due consideration to the administration’s recent history of targeting voices of dissent with invasive spyware (see here, here).
How does it work?
Apple claims that its threat notification system detects state-sponsored attacks using the threat intelligence signals it receives, and is designed to inform and assist users who may be individually targeted owing to “who they are or what they do”. The notification can be authenticated by signing in with one’s Apple ID on the website appleid.apple.com, where the user is greeted with a large red banner which reads “threat notification”. To distinguish itself from spam or phishing messages, Apple threat notifications never bear any links or media. Further, Apple does not provide any information about how it detected the attack, “as it may help state-sponsored attackers adapt their behaviour to evade detection in the future”. Apple recognises that this process is not completely foolproof due to the sophistication and complex nature of state-sponsored attacks, which means some notifications might be false positives, and some attacks may not be detected at all, i.e. false negatives.
A lukewarm state response
The Union Minister for Electronics and Information Technology, Ashwini Vaishnaw, stated in a press conference on October 31, 2023 that a CERT-In investigation has been ordered towards the threat notification. He claimed that the notification was a “vague advisory” based on “certain estimations that they have done.” He added that Apple’s encryption system is of the highest possible order, and that this kind of advisory has been issued in 150 countries, which has the unfortunate effect of diluting its gravity.
Our message for CERT-In
As CERT-In begins investigation into the threat notification and the alleged state-sponsored attack, we wrote to them requesting the team to consider the following:
First, the need for a holistic investigation. We acknowledged that CERT-In is empowered to conduct only a technical and forensic evaluation of affected devices. Such evaluation is limited to examining code and network behaviour, and fails to address key elements of the incident, such as the intent behind targeted state-sponsored attacks, the process of identifying targets, procurement and use of spyware by state actors, accountability, oversight, and legal safeguards. Apar Gupta, IFF’s Founder Director, stressed the need for a 360-degree investigation of the threat notification which should not only be limited to technical and forensic evidence, but also require testimony from affected parties, witnesses, and appropriate office bearers. As CERT-In does not possess the jurisdiction to undertake such proceedings, we request that any reports/documents recording the findings of this investigation contain a recognition of such limitations.
Second, the need to acknowledge the state’s historical baggage in this domain. Though the notification has been deemed “vague” and speculative by the Union Government, recent history of targeted state-sponsored attacks suggests exercising caution. In 2021, 300 Indian phone numbers, including those belonging to ministers, politicians, activists, researchers and journalists, were among the 50,000 reportedly targeted with an Israeli military-grade spyware, Pegasus. Such spywares can only be deployed by hacking a phone that has been targeted by it. On a thorough examination of media reports and the Union Government’s response thereto, IFF, in a public statement, deemed the response insufficient and that it failed to conclusively address the detailed investigations done by Indian and international media.
Compromising or hacking the phones of Indian citizens has no basis in Indian law. Statutory surveillance powers under the Telegraph Act, 1885 and the Information Technology (“IT”) Act, 2000 do not permit the installation of spyware or hacking of mobile devices. In fact, such acts are criminalised under the IT Act, 2000. Further, targeted attacks and hacking of mobile phones are grave violations of privacy, as the device’s cameras, microphones, and other functions can be manipulated and monitored without the user’s knowledge or consent. Given the gravity of allegations and similar incidents in recent history, we urge CERT-In to proceed with a fair and thorough investigation, irrespective of Apple’s threat notifications not being completely foolproof, or its statement being “vague”.