“Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-,” it wrote in the warning to affected customers."
I would assume it's fake, part of some phishing scam. How can we know something like this is real? I'd be even more likely to think it's fake if it looks different than all the other messages I get.
Edited to add: As a comment below pointed out if you "sign in to appleid.apple.com" it'll confirm, which even I would trust! Thanks to quitit for pointing that out.
"To verify that an Apple threat notification is genuine, sign in to appleid.apple.com. If Apple sent you a threat notification, it will be clearly visible at the top of the page after you sign in."
As long as it doesn't have any links to click or try to force you to login to something, it just sounds like information to me.
If my bank sent me something about Credit Card fraud I would be very skeptical if it had a big "CLICK HERE TO LOGIN" type of thing.
But if it was just info, and maybe ended with "Contact your local branch to learn more", but no links, no phone numbers, etc. I would be less skeptical.
This is, I think, a valuable heuristic. Anything but the most complex and long-term scam always includes some call to action, nearly always URGENT and IMMEDIATE (so as not to give you a chance to think about it or research it).
A notification that is ONLY a notification about something is very unlikely to be malicious (though could certainly be erroneous). My bank will send me a concerning email or SMS about suspicious activity that needs to be reviewed or confirmed, but because they know it's a vector for attack their specifically ask you to call them at their published number listed on your card.
But if the phishing scam manages to display such a message in a different way on your phone, you can’t trust the phone anymore as it has likely been hacked.
In the screenshot it says the threat notification was sent "via email and iMessage", so it would not be displayed in any different way on your phone, which I also find surprising. I definitely wouldn't expect to receive something like this as an Email, and I have turned off iMessage.
iMessage has been one of the most successful delivery vector for these spyware attacks.
So, if you think you are a likely target of a state sponsored attack, best thing you can do on an Apple device is to turn on lockdown mode, turn off iCloud and iMessage, stop using keychain, use only a yubikey for all authentication, and restrict yourself to a limited number of essential apps on your primary device and use a dedicated burner device for all your throwaway browsing and communications, and erase/reset that device after every session. And still, assume everything you say and do online is fully compromised, because there are always system vulnerabilities that haven't been made known yet ('zero-day' attacks) and are being used to compromise highly targeted individuals. In the end, it is a very convoluted cat and mouse game.
Unless things have changed since I last looked, if those you talk to aren't also on iMessage, it feels like a net negative to use as you get inconsistent/negative behavior between contacts. From that end, it becomes sort of a moral issue with the clearly arbitrarily locked gates and poor experiences. So you disable and use a non-malicious and cross platform solution.
> Apple is malicious, but Facebook is totally okay?
This is such a bizarre comment to make, because OP never suggested that Facebook is "totally okay". You replied to them after their edit window passed, so they didn't say that and then edit it out either.
I'm in Europe, I haven't encountered anyone in my life who has used iMessage (everyone uses WhatsApp, now also Telegram/Signal), so I don't really have a use for it, when I wanted to try the weird AR emoji / heartbeat reaction message things with my partner we noticed we both had iMessage turned off, I guess it's like a setting that maybe we skipped during the phone setup? Not sure if it's on by default for some people.
imessage and rcs (and arguably mms, although that started as cost cutting) are backdoors for the legal protections on mining telephony provider metadata for marketing. with those two "opt in" (lol) techs, all safeguards are off.
Several CVEs in the past related to iMessage. And it has surprisingly high privilege. Since I seldom need it, turning it off is better for my security.
iMessage histories are backed up in the nightly automatic non-e2ee iCloud Backup, effectively backdooring iMessage’s “end to end encryption” by escrowing the plaintext to a not-endpoint.
Apple can read approximately everyone’s iMessages out of their backups. It’s not private or secure, and claiming it is end to end encrypted is misleading almost to the point of being actually false.
This is the same behavior as SMS if you have enabled “Messages backup.” If backup is not enabled you will not have a copy of iMessages stored in iCloud (though all compatible and configured devices will still receive messages).
This can be changed by opting in to the e2ee iCloud data service “Advanced Data Protection.”
Nope. Even opting into ADP, your iMessage conversations will still be backed up to Apple without e2ee - just from the non-ADP phones of all the people you iMessage with instead of your own phone.
iMessages are backed up in duplicate - once on the sender and once on the receiver. You can only control e2ee for half of it, so your conversations are still under surveillance unless everyone you message with has also turned on ADP.
Is there any E2EE messaging service, or network protocol of any sort, that doesn't suffer from this? If an endpoint is compromised in whatever way, it doesn't matter how encrypted the data is in transit.
You’ll note that this is regularly and frequently used by the FBI against domestic users (such as BLM protesters). Apple processes these FISA demands on over 70,000 user accounts every year, and the number is increasing. (That’s just the count for the warrantless FISA stuff - search warrants are a different (larger) figure.)
They also expanded it to allow them to search Apple’s data on people entering the US as visitors.
> The House also passed several other significant amendments. They included allowing the Section 702 program to be used to gather intelligence on foreign narcotics trafficking organizations and to vet potential foreign visitors to the United States; empowering certain congressional leaders to observe classified hearings before a court that oversees national-security surveillance; and expanding the types of companies with access to foreign communications that can be required to participate in the program.
Nobody remotely versed in this stuff would expect SMS to be end-to-end encrypted, though to be honest the more notable fact to me here is that Apple can read any plaintext in your backups. iMessage is an over the top messaging service more akin to WhatsApp or Signal than it is to SMS, so that is a more relevant comparison. I don't know if any of the clients store plaintext messages that would be backed up to Apple in a similar manner or not, but I'd hope at least the more security focused ones do not.
Apple makes privacy claims about iMessage including 'Apple can’t decrypt the data.', which is notably false in this (common) scenario, and requires a large asterisk on those claims, IMO bordering on making them unethical, period.
Albeit recent and optional, isn’t that a hole specifically fixed by the Advanced Data Protection option[0]? Granted, it doesn’t do much if your recipients don’t also have it enabled.
Edited to add: As a comment below pointed out if you "sign in to appleid.apple.com" it'll confirm, which even I would trust! Thanks to quitit for pointing that out.