Apple's HomeKit Allegedly Exploited in Serbian Pegasus Spyware Campaign
Serbian authorities suspected of exploiting Apple’s HomeKit to install Pegasus spyware without user interaction.
Apple’s HomeKit platform has come under scrutiny as Serbian authorities are reportedly exploiting its vulnerabilities to deliver spyware, including the infamous Pegasus spyware, without requiring any user interaction. Amnesty International’s investigation highlights two key tools in this spyware campaign: Pegasus, developed by Israel’s NSO Group, and a locally developed system named NoviSpy.
The Tools in Play
Pegasus is known globally for its ability to exploit zero-day vulnerabilities—software flaws unknown to manufacturers—to infect devices silently. Once installed, Pegasus gains unrestricted access to messages, emails, media, and even turns the infected device into a live surveillance tool. Crucially, this spyware does not require the user to click a link or perform any interaction for installation.
Meanwhile, NoviSpy, a system reportedly tailored for Serbia, appears to rely on physical access to devices. This tool has allegedly been installed during police interactions such as traffic stops or “informational interviews.” For example, journalist Slavisa Milanov experienced suspicious activity on his phone after briefly leaving it at a police station. Subsequent analysis revealed the phone had been accessed using Cellebrite tools and NoviSpy had been installed during that time.
Exploitation of Apple’s Systems
Authorities are believed to have exploited vulnerabilities within Apple’s HomeKit, the company’s smart home platform, to deliver spyware. While HomeKit is designed with secure protocols, attackers can reportedly manipulate network configurations or send malicious invites to compromise devices. Similarly, Apple’s iMessage has been a consistent target for zero-day exploits due to its extensive functionality and wide usage. Pegasus spyware, in particular, has successfully leveraged these vulnerabilities to install itself remotely.
Apple has historically responded to spyware challenges with both legal and technical measures. In 2021, the company sued NSO Group for its involvement in Pegasus deployments, aiming to block access to Apple services. Additionally, with iOS 16, Apple introduced Lockdown Mode, a security feature that restricts functionalities commonly exploited by spyware, such as message attachments, link previews, and unknown FaceTime calls.
Despite Apple’s efforts, the report underscores that spyware developers, including those behind Pegasus, are consistently finding new ways to exploit vulnerabilities. In 2023 alone, Pegasus evolved with three new zero-click exploits targeting iPhones.
Impact on Journalists and Activists
The deployment of Pegasus and NoviSpy in Serbia has raised serious concerns among journalists, activists, and human rights defenders. These tools allow authorities to monitor encrypted communications on apps like Signal, track personal networks, and gather intelligence on protests or civil movements.
For individuals targeted by spyware, the impact is profound. Some journalists now avoid using their phones entirely, fearing surveillance. Others describe feelings of isolation and uncertainty about their roles in civil society.
How Users Can Protect Themselves
Apple users, particularly those at high risk of targeted attacks, can take steps to improve their device security. Enabling Lockdown Mode in iOS provides enhanced protection by limiting attack surfaces frequently exploited by spyware. This mode can be activated under the Privacy & Security section in device settings. Additionally, users should practice vigilance by using strong, frequently updated passwords and enabling two-factor authentication.
Caution is also advised when receiving unexpected HomeKit invitations or messages, as these can serve as entry points for malicious exploits.
While Apple maintains a strong reputation for privacy and security, these recent incidents demonstrate that no system is entirely immune to sophisticated surveillance tools. As spyware developers continue to evolve, ensuring device security remains an ongoing challenge.