How Apple detects state-sponsored attacks, and why it is concerning

Q. Can you walk us through what’s going on with the Apple threat notifications?

Apple, back in late 2021, had instituted this system of sending notifications to accounts if their systems believed that they were at the receiving end of a fairly sophisticated attack, what they called a ‘state-sponsored attack’. This is defined on the basis that it seems to rely on tools or maybe exhibit similarities to other attacks that would need a really significantly high amount of resources and investment to be able to execute. And it then sends out these notifications.

Now, initially a number of prominent local opposition politicians received these notifications; it seems to have expanded to journalists as well, some folks in think tanks, etc. Since then, there’s been a back and forth, first in terms of trying to maybe downplay the threat. At one point, I think there were reports of the fact that maybe this could have been a false alarm. And now, of course, you have a conversation about Apple being called in and some sort of probe taking place, so it’s still evolving. But broadly, I think it is something to be pretty concerned about.

Q. Is this a feature that only Apple has enabled? Do we know if Android phones offer similar notifications? If you can also break it down further, what this threat actually means, what this sort of attack means, what does it mean is happening to your phone in that sense?

So to my knowledge, Android doesn’t have an equivalent of this. But it’s worth noting that different companies may have it at different points. Now while Android may not have it, I think Google itself does have some form of notification at an account level.

Understandably, there’s only a limited amount of information that Apple will be able to provide. And the point to note is that the way they do this is unlikely to be an exact science. Typically when there are these attacks that happen, you have what’s called an attack signature, which sort of defines or has certain characteristics of it. And then you look for similarities across previous known attempts.

You would expect that they have a fairly high threshold and will have a reasonable amount of confidence before they trigger something like this, where they say that it’s likely to be a state-sponsored attack. They would not provide more significant information, because once that is public it makes it possible for those same attackers to figure out how to evade this detection in the future.

Also read: Why AI in cybersecurity needs to be part of business strategy to boost resilience

Q. What is your sense of how automated all these notifications might be?

In the security community, there doesn’t seem to be much conversation about the system being unreliable. And I think just a month or so ago, both Citizen Lab and Access Now performed an investigation in the case of a Russian journalist, which began after they got a threat notification and then they were able to confirm the existence of spyware. I’ll use that to tangentially address the false alarm and the false positive theory as well, because I think what weakens that is when you put all the names together, there's an emergence of a clear pattern there in terms of what their political views are, what their political positions are. So if it was just a false alarm or a false positive that had been triggered, you will find an indiscriminate set of people affected. This is still evolving, but at this point, I think the false positive hypothesis is a little weak.

Q. Hollywood movies, television shows and, of course, the whole Pegasus fiasco, showed us that the tech has become very, very sophisticated. Can you give us a real-world sense of how deadly some of these technologies are?

These sorts of spyware are fairly sophisticated, and they're expensive to acquire and deploy. But the idea with them is that they pretty much compromise the entire device and in many cases are extremely hard to detect.

In some cases, we've also seen that if you reboot the device, they get wiped off, but it's not that difficult to get someone re-infected. So a lot of it depends on the type of malware or the type of attack. But broadly, the goal is to compromise a device, which is such a significant part of a person’s being in terms of their interactions, their communications.

Also remember that these are devices that have cameras and mics on them. Right now, in some of those cases of indiscriminate malware, you may detect a significant change in the behaviour of your device, such as the battery draining faster. But normally they tend to be very hard to detect, and don’t often do things that make a perceptible difference in the day-to-day function of your device.

It’s going to vary from one tool of this sort to another. In these cases, they are generally used in a targeted fashion. But again, just because that is the case today doesn’t mean that it will always be the case, right? In that context, for a lot of us who use technology, who use devices such as this, it’s another reminder. Your threat model may not be as high as someone who’s an opposition politician or an adversarial journalist. But it’s a reminder that you do need to be extremely careful with the devices that you are using because they are a tremendous point of vulnerability for us as well.