HomeKit Vulnerability Exploited to Target Serbian Journalists with Pegasus Spyware

Amnesty International has uncovered that a security vulnerability in Apple’s HomeKit was exploited to target iPhones belonging to Serbian journalists and activists. The attacks, facilitated by the Pegasus spyware from Israeli company NSO Group, have raised renewed concerns over state-sponsored surveillance.

The investigation began after Apple sent notifications to two Serbian individuals, warning of potential “state-sponsored attacks” on their devices. Both victims contacted the Belgrade-based SHARE Foundation, which collaborated with Amnesty International and Access Now to perform forensic analyses. Amnesty’s Security Lab confirmed that the Pegasus spyware was indeed deployed.

NSO Group’s Pegasus spyware is known for exploiting zero-day vulnerabilities—flaws unknown to manufacturers like Apple—to infiltrate devices through zero-click attacks. In these cases, receiving an iMessage, without any user interaction, could compromise iPhones and expose sensitive personal data.

Amnesty International identified that a HomeKit vulnerability enabled these attacks. Devices were targeted within minutes of each other using attacker-controlled iCloud email addresses, which Amnesty linked to Pegasus infrastructure. The traces left by these attacks resembled previously observed NSO spyware campaigns.

Further investigations revealed that similar attacks occurred in India during August 2023. Individuals there, who had received similar alerts from Apple, also showed evidence of HomeKit exploitation followed by Pegasus deployment via iMessage.

Although specific details about the HomeKit vulnerability have not been disclosed—likely due to Apple’s ongoing mitigation efforts—this case highlights the spyware’s ability to infiltrate even highly secure devices like iPhones.

The investigation also uncovered separate attacks targeting Android devices. Android vulnerabilities allowed surveillance software to be installed, particularly when victims, reporting crimes to authorities, handed their locked phones to police. Cellebrite technology, often used in state investigations, facilitated this breach.

Amnesty International’s findings underscore the global reach of Pegasus spyware and the increasing challenges in safeguarding devices from sophisticated surveillance tools. The targeting of journalists and activists in Serbia further emphasizes the alarming use of such spyware in suppressing dissent.

Apple continues to monitor for signs of Pegasus attacks and alerts affected users when potential compromises are detected.