Brad Anderson, Microsoft’s corporate vice president for enterprise and client mobility, set out his views in a company blog post last week. He used the Pegasus iOS spyware, revealed last month, as an example of severe vulnerabilities present in iOS. Pegasus is capable of monitoring everything a user does on their device, leaving them vulnerable to further attack.
The malware was analysed by Lookout Security, a Microsoft partner. In its report, Lookout described Pegasus as “the most sophisticated attack we’ve seen on any endpoint.” Since it originates from a leading iOS security firm, Anderson said the statement reveals a lot about the state of security on Apple’s platform.
Anderson is attempting to challenge the trust that consumers typically place in Apple. Android threats are far more numerous and gain more widespread attention than attacks on iOS. iOS is not immune to potentially devastating malware though, in contradiction of the views of some customers. Anderson said Pegasus should be a “pretty startling wake-up call” that everyone is “under constant persistent attack” on every platform.
Microsoft executives have reportedly indicated “unwavering implicit trust” in Apple’s iOS “countless times,” revealing how strong the association between Apple and security has become. The belief that Apple’s platform is stronger than Android appears to derive from iOS’ closed nature. Because it’s a more controlled ecosystem, the attack surface is lower than for Android malware.
This view is dangerous, according to Anderson. Every mobile device is at constant risk of attack, regardless of the platform it runs. “I know for a fact that all the providers of mobile operating systems go to superhuman lengths to harden their platforms and do everything they can to deliver the most secure operating system possible,” said Anderson.
However, iOS, Android and Windows all have vulnerabilities that expose them to potentially devastating attacks. Some platforms are targeted more frequently than others but this shouldn’t influence people to make assumptions about a platform’s security. Pegasus demonstrates that even a closed ecosystem can be infiltrated by some of the most complex mobile malware ever observed.
Coming from Microsoft, Anderson’s argument represents a powerful message to businesses and consumers that iOS may not be all it seems. Pegasus has proven iOS presents a viable attack vector to cybercriminals. It has also demonstrated that malware has been commercialised to the point that it’s an off-the-shelf product, available for purchase from the secretive NSO Group. According to Microsoft, the idea of a single platform being more secure than others is an urban myth. In real-world terms, any device can be hacked and every user is a target.
