A profile describing Apple’s endeavors to bolster security in its Paris operations demonstrates the extent to which the iPhone manufacturer will go to prevent tools like Pegasus from accessing the data of vulnerable users.
Faced with threats like Pegasus and attempted breaches by state actors, Apple has had to strengthen its security measures in recent years. In addition to fortifying the security of iOS and its other operating systems, the company has also championed initiatives such as introducing lockdown modes and issuing warnings for potential hacking targets.
An in-depth examination of Apple’s Security Practice by Independent highlights some of Apple’s initiatives in response to threats targeting journalists, activists, and individuals involved in politics. While software is the most evident aspect of Apple’s efforts, a significant portion is also dedicated to hardware.
The work carried out by Apple engineers in Paris, including projects involving unreleased hardware, encompasses employing a variety of techniques to bypass device security. These efforts encompass the utilization of lasers and other “precision-tuned sensors” in order to ensure the highest level of security for the hardware prior to its release.
The rationale is that while software can be updated with security patches, devices cannot undergo the same process without physical interaction. Testing is conducted to identify any potential ways in which the hardware itself may inadvertently circumvent security, and to mitigate these vulnerabilities.
The report characterizes Apple’s Paris engineers as “perhaps the most proficient and well-equipped hackers” of Apple hardware globally. Apple, in response, states it has confidence in the success of its initiatives, but any campaigns to compromise this security only necessitate an increased adherence to security protocols.
A continuous digital arms race
Ivan Krystic, Apple’s chief of security engineering and architecture, remarked, “I believe what is occurring is an escalation in the number of attack vectors. This is partially a result of the progressively wider deployment of technology.”
Krstic suggests, “With the increasing adoption of technology, it creates more opportunities for hackers to emerge and develop expertise in selecting specific areas to concentrate their efforts.” Data breaches have surged over the past decade, with the frequency of attacks more than tripling between 2013 and 2021.
“During this same period, numerous other attackers are launching novel forms of attacks, or altering existing ones – targeting devices, Internet of Things devices, essentially anything connected to the Internet in any manner.”
Krstic is of the opinion that “the essence of the security battle lies in continually advancing defenses to strive to remain one step ahead not only of current attack patterns, but of where they are headed.”
In the report, Krstic indicated that heavy investments in security are justified in two ways. One aspect is that, as current sophisticated attacks proliferate and become more widely accessible, understanding such threats presents an opportunity to fortify defenses against future variants.
Nonetheless, Krstic deems this to be the less significant of the two reasons.
“As we observe the misuse of this state-level mercenary spyware, and the types of individuals who fall victim to it – these are journalists, diplomats, individuals striving to improve the world. We believe it is unjust for spyware to be exploited in this manner. We feel that these users deserve reliable, secure technology and the ability to communicate safely and freely, just like all our other users. They do.”
For Krstic, this was “not a business decision. It was simply doing what is ethical.”
In cases where Apple contends with governments or major agencies, Krstic contends that Apple’s endeavors do not constitute a confrontation with such entities. “However, we consider it our responsibility to shield our users from threats, whether they are commonplace or, in certain instances, quite serious.”
The interview briefly delves into Apple’s challenges with the Digital Markets Act regarding sideloading and alternate app stores. While the European Commission aims to foster fair competition and provide users with more options, Krstić vehemently disagrees.
The head of security avers that the proposition of extending more choices to users, whether using third-party platforms or adhering to the security of the App Store, is a fallacious notion.
“The reality of the requirements for alternative distribution suggests that in Europe, the software that users require – at times business software, at times personal software, social software, applications they wish to utilize – are available through alternative distributions. They might only be accessible outside of stores and distributed,” Krstic asserts.
“In this scenario, those users have no alternative in acquiring that software through the distribution mechanism they rely on. Consequently, it is not the case at all that users will retain the same degree of choice they possess today in obtaining their software from the App Store.”