HomeKit Exploit Used to Target Serbian Journalists and Activists with Pegasus Spyware

Amnesty International has confirmed that a security vulnerability in Apple’s HomeKit was exploited to install Pegasus spyware on iPhones belonging to Serbian journalists and activists. The findings follow Apple’s warnings to the affected individuals regarding potential “state-sponsored attacks.”

The investigation began when two activists, affiliated with major Serbian think tanks, received alerts from Apple about attempts to compromise their devices. They sought help from the Belgrade-based SHARE Foundation, which collaborated with Amnesty International and Access Now to conduct a thorough forensic analysis of the iPhones. The analysis revealed that the devices were targeted using NSO Group’s Pegasus spyware, a notorious surveillance tool primarily sold to governments and law enforcement agencies.

Exploitation of HomeKit Vulnerability
Amnesty International’s Security Lab discovered that the attackers leveraged an unknown vulnerability within Apple’s HomeKit service to facilitate the attacks. The compromise occurred via iCloud email accounts under attacker control, which were linked to Pegasus deployments. The two Serbian devices were targeted within minutes of each other, using separate iCloud addresses, both associated with Pegasus attack systems.

This pattern aligns with similar zero-click Pegasus attacks observed worldwide, particularly through iMessage. In such cases, devices can be infiltrated merely by receiving a specific message, without requiring any interaction from the victim. Amnesty has previously reported comparable exploitation techniques, including recent Pegasus infections in India during August 2023.

The Security Lab indicated that victims in India also experienced signs of HomeKit-based exploitation, which enabled Pegasus to breach their devices. Despite clear evidence of HomeKit’s involvement, the details of the vulnerability remain undisclosed as Apple continues to develop mitigation measures.

Android Devices Also Targeted
While iPhones were targeted using HomeKit vulnerabilities, Android devices were also compromised through a different method. Victims, after approaching law enforcement to report crimes, unknowingly allowed Cellebrite technology to install surveillance software on their locked phones. This attack relied on an Android-specific vulnerability and is presumed to have been orchestrated by state actors seeking to lure targets into police precincts.

The simultaneous exploitation of vulnerabilities in iOS and Android devices highlights the increasing sophistication of surveillance operations leveraging Pegasus spyware. NSO Group’s ability to exploit zero-day vulnerabilities remains a significant global concern, raising alarms about privacy and security for journalists, activists, and other high-risk individuals.

Apple continues to alert affected users and enhance iOS security features to detect Pegasus attack indicators. However, the exploitation of HomeKit underscores the ongoing challenges in mitigating such advanced threats.

Amnesty International and its partners continue to monitor similar attacks worldwide as part of broader efforts to document and combat spyware abuses.