iPhone 12 Mini and iPhone 12 Pro Max.
Todd Haselton | CNBC

Apple iPhones can be compromised and their sensitive data stolen through hacking software that doesn’t require the phone’s owner to click on a link, according to a report by Amnesty International published on Sunday.

Amnesty International said it discovered iPhones belonging to journalists and human rights lawyers had been infected with NSO Group’s Pegasus malware that can provide the attacker access to messages, emails and the phone’s microphone and camera.

The revelation suggests governments using NSO Group software have been able to successfully hack iPhones to spy on user data using methods unknown to Apple, and that even keeping an iPhone up-to-date cannot stop a dedicated attacker who’s using expensive and secretive spy software.

The nature of the attacks also suggests changing user behavior, such as avoiding clicking on unknown or phishing links in messages, may not protect iPhone users against NSO’s software. Past versions of Pegasus required the user to click a malicious link in a message, Amnesty International said.

NSO Group is an Israeli firm that says it sells to vetted government agencies and law enforcement to prevent terrorism, car explosions and to break up sex and drug trafficking rings.

Amnesty International found evidence of a hack in an iPhone 12, the newest iPhone model, running iOS 14.6, which was the most current software before Monday. Apple updated its software to iOS 14.7 on Monday but has not yet released security details that could indicate whether it has fixed the exploits identified by Amnesty International.

Amnesty International obtained a leaked list of 50,000 phone numbers that may have been targeted by spy software made by NSO Group. It found evidence that Android devices were also targeted by NSO Group software, but wasn’t able to examine those devices in the same way as the iPhones.

“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” Apple’s head of security engineering and architecture Ivan Kristic said in a statement.

An iPhone software update from Apple could fix the exploit

Security experts say the most effective way to stop malware is to keep devices patched with the latest software, but that requires the device maker to be aware of the bugs the attackers are using. If they are “0days,” as NSO Group is accused of using, that means that Apple has not yet been able to fix the exploits.

Once Apple fixes the exploit, it’s no longer a 0day and users can protect themselves by updating to the latest version of the operating system.

That suggests that NSO Group’s software could stop working or lose the capability to target up-to-date phones as soon as Apple fixes the exploits — which it starts doing as soon as it learns of the attacks, Apple said.

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data,” Kristic said.

iPhone privacy has been a key marketing strategy

Apple has made security and privacy one of its key marketing strategies, arguing its control of the operating system, and the hardware that powers it, allows Apple to deliver a higher level of security and privacy than devices made by rivals.

Apple said its security team is four times larger than it was five years ago and employees work to improve device security as soon as it finds new threats. Apple publishes security fixes for each software update on its website, cataloging them with industry-standard “CVE” numbers and crediting security researchers who find them.

Amnesty International’s report said NSO Group’s software doesn’t stay on an iPhone when it’s rebooted, making it harder to confirm that a device has been infected. It also suggests users who are worried about being targeted may want to regularly reboot their devices.

Amnesty International said it worked with international media groups to publish details about a handful of the phone numbers it found on the leaked list and the specific circumstances that led them to have been targeted by NSO software. Some American phone numbers were on the list but it’s unclear if they were hacked, the Washington Post reported.

An NSO Group spokesperson said the company will investigate all claims of misuse.

“We would like to emphasize that NSO sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts. NSO does not operate the system and has no visibility to the data,” the NSO spokesperson said.

Other technology companies consider NSO Group’s business unacceptable and a threat to their users’ security. Last year, Facebook subsidiary WhatsApp sued NSO Group over an alleged WhatsApp hack. In a court filing from December as part of that case, third parties including Microsoft, Google, Cisco and others said NSO Group had violated U.S. laws and doesn’t deserve immunity because it sells to foreign governments.