Intro

Generally speaking, for Apple iPhone users, "if the concerned person did not get an Apple cyber mercenary alert, it's likely not highly invasive spyware." -- a Technologist at Amnesty Tech - Security Lab

Phase One - Shutdown and Validate

Stay calm and turn off your phone. If possible, remove the battery, or put the phone into a faraday cage with >60dB of attenuation to prevent the phone from continuing any network activity even if you think you've turned off your phone. The cheapest, quickest method of a DIY faraday cage is with tinfoil and a couple of Zip Lock bags.

1. Wrap the phone in a layer or two of tinfoil. Wrap it very tightly, and fold the foil over itself and crimp it as tightly as possible. The goal is to minimize any air gaps and to create a complete seal around the device.

2. Drop that foiled phone into a Zip Lock bag. Zip it up.

3. Wrap that foiled-then-zipped up phone in one more tight layer or two of tin foil. Make it as tight as possible.

4. Drop that into another Zip Lock, just to further protect the layers of tinfoil from damage from movement.

The phone needs to get into the hands of a qualified organization who can verify device compromise. Depending on who you are, the field you work in, or depending on the organizations for which you work, there are several organizations who may be able to perform this assessment:

• Amnesty International Security Lab, who published the Mobile Verification Toolkit, has several regional partners.
• Citizen Lab and Consumer Reports has the Security Planner with links to Access Now.

Installing "threat detection" apps do not work, do not do that. Enterprise Mobile Device Management also cannot detect mercenary spyware. Depending on the outcome of a conversation that you have with an above organization, it may be determined that you are low risk, and a full wipe of your phone may be enough to mitigate risk.

Phase Two - Response

If you are a high risk, or it's been proven that your device has been compromised, it should be presumed that the attacker now has:

1. All of the details from everyone in your phone's Contacts app -- everyone's name, phone numbers, emails, addresses, birthdate, etc.

From a safe device or in person, begin to contact the people in your network who have a high risk of also being targets of compromise. This includes immediate family members and loved ones, not just people who are professionally or organizationally related to you. Warn them about what could happen next.

What could happen next:

1a. The attacker could use contact information copied from your phone to attack the phones of your contacts if remote exploitation is within their threat model. Those high risk people should be provided this guide, stop using their phone, and seek similar "is my phone hacked" services as described above.

1b. The attacker could pose to be you by social engineering them to divulge information using data taken from #2, #3, #4, and #5 below.

At the very least, your high risk contacts should be provided instruction on how to enable security features like Lockdown Mode (iOS), and begin to treat their phone as if it's an always-on listening microphone and physical location tracking device, until proven otherewise. When in doubt, throw the phone into a faraday cage and forever consider it permanently compromised, and obtain a new phone right away.

Not only does your network need to be informed about the danger and risks, but you need to validate your identity in a real-time video call with various question and answer challenges from a new, trustworthy device, or better, in person. Establish a trustworthy communication pathway with new devices that have been hardened to reduce the risk of future compromize. Again, consulting the above organizations can help.

2. All of the content and metadata stored in the apps of end to end encrypted (e2ee) messengers.

It's important to understand two facts about e2ee messengers:

2a. e2ee provides security for data in transit. It does not protect against local compromise.

2b. e2ee should be maximized. Compromising a device, especially remotely, is not cheap or easy.

3. Any authentication tokens on the compromised device -- authentication into various services and apps -- could have been copied off the device and then used without your knowledge from an attacker-controlled device. In other words: apps you've signed into, like Gmail, Facebook, Outlook, etc, all of those apps keep an authentication token within the app's database to help reauthenticate you into those services anytime you open the app. It's like a key to open a front door. Those keys can be coppied by an attacker who has compromised your phone. It's important to go into each of those services from a trustworthy computer and terminate all existing authenticated sessions, if possible. And of course, reset all of those service's passwords, 2FA tokens, and the listed email address after said email has been reset and hardened.

4. Any secrets (passwords, 2FA tokens, passkeys, etc) saved in a password manager -- those should all be considered owned since the attacker likely had system access while the encrypted database was unlocked. It would be critical to go through all of those accounts and perform resets ASAP, even if you weren't actively signed into those services.

5. Any locally stored media or documents should be considered copied and out of your control. Content and metadata of media and docs could be used against you in any way the attacker wishes, now or in the future. Blackmail, doxxing, etc are all risks, but that stuff will also be used to learn more about your life and used against you.

It's very important to think very critically about what is/was on your phone and think: if I were the attacker, what would I do, how would I use all of this data in order to cause futher damage or compromise. Create a list and turn that list into an action plan to help mitigate high, then medium, then low risks, depending on your threat model.

Phase Three - Prevention

It's important to obtain a new device and make sure it is setup in a way that won't lead to further compromise. Depending on how the original compromise happened, there are certain steps one should take to make sure they cannot be compromised again. For example, if it was a remote attack, setting up Lockdown Mode and restarting a new iPhone before a SIM is inserted is important.

What should be obvious with all of this is that our phone's are treasure troves of our lives. High risk people may want to proactively minimize their risk by keeping less data on their phones. Compartmentalization and data minimization are important security practices that can only protect you before a compromise.

How to setup a secure phone is out of scope of this article, but again, seek the assistance of trustworthy organizations that I've listed above.