As part of its investigation into claims that several Indian Opposition politicians and journalists received threat notifications from Apple, the government’s nodal cybersecurity agency has shifted its focus on a predictable foe – it is exploring whether agencies linked to the Chinese government were behind the attempted breach, The Indian Express has learnt.
“Most of the iPhones that were targeted were made in China, as per preliminary inputs we have received from Apple. The Indian Computer Emergency Response Team (CERT-In) is investigating if the place of production has something to do with a vulnerability in the iPhones, and whether the hack was attempted by agencies linked to China,” a senior government official, privy to CERT-In’s investigation, told this paper.
In October, Opposition leaders across parties — from Congress’s Shashi Tharoor to AAP’s Raghav Chadha to TMC’s Mahua Moitra — received a “threat notification” from Apple warning of a “potential state-sponsored spyware attack” on their iPhones. They hit out at the Centre, and suggested that it was behind the spyware attack attempt.
Apple later issued a statement saying it “does not attribute the threat notifications to any specific state-sponsored attacker”. IT Minister Ashwini Vaishnaw at the time said that much of the information provided by Apple on the issue was “vague and non-specific in nature”, and urged the iPhone maker to join the probe with more accurate information about the alleged spyware attack.
It is learnt that since Apple started sending out these alerts in late 2021, individuals in 150 countries have received such threat notifications. This paper has also learnt that according to Apple India’s internal records, at least 20 Indians with iPhones received the threat notification from the company last month.
Earlier this month, the CERT-In sent a detailed questionnaire to the company asking about current vulnerabilities in Apple’s operating system and how long the company will take to issue a security patch to fix the holes. Another key question the agency is investigating, as is Apple, is whether there was a breach, or if it was an attempted hack.
The agency has also asked the company to explain what it means by a “state-sponsored attack” and when it concludes that an attack was initiated by a state-backed entity.
“CERT-In is still in the process of its investigation and has asked Apple for specific inputs. I am given to understand that the company will fly down a team of experts from the US by the end of November to assist CERT-In with its probe,” a second government official said, requesting anonymity since the investigation is private.
Apple is understood to have preliminarily told the government that iPhones can have loopholes especially when military grade hacking attempts are made, and that the company is not equipped to remotely analyse the hack on a device level since it would require a great degree of access which could impact a user’s privacy further. Apple did not respond to a detailed set of questions despite multiple requests. An email sent to the IT Ministry went unanswered.
Investigations into similar issues in the past haven’t yielded much. In 2021, the Supreme Court had formed a committee of technical experts to look into allegations of unauthorised surveillance using the Pegasus software developed by Israeli firm NSO Group.
The Pegasus controversy had broken following media reports of alleged illegal use of the software to tap the phones of some activists, journalists and politicians. Subsequently, several petitions were filed in the Supreme Court seeking an inquiry into the charges.
In August 2022, the committee of technical experts found no conclusive evidence on use of the spyware in phones examined by it but noted that the Central Government “had not cooperated” with the panel.