Apple has released a critical software patch to fix a major security vulnerability, after researchers found spyware could exploit it to hack directly into iPhones and other Apple devices without so much as a click from the user.
Researchers at the University of Toronto’s Citizen Lab said they found malicious image files being transmitted to the phone of a Saudi activist, who wished to remain anonymous, via the iMessage instant-messaging app. The device was then hacked by the Pegasus spyware developed by Israel’s NSO Group, they alleged.
Calling the iMessage exploit Forcedentry, Citizen Lab said that the security vulnerability makes the phones susceptible to eavesdropping and remote data theft, and that it applied to all Apple devices. Forensics revealed that the activist’s phone had been infected back in March, adding that the malicious files caused the phone to crash.
The vulnerability was found in the activist’s iPhone on 7 September, following which Citizen Lab said it immediately alerted Apple. The NSO group licenses its Pegasus spyware tool to government agencies and police forces to investigate criminal activity, but Citizen Lab researcher Bill Marczak said: “We’re not necessarily attributing this attack to the Saudi government.”
Issuing a statement, the NSO Group said that it will continue providing tools for fighting “terror and crime”.
Also a “zero-click” exploit, Pegasus doesn’t require users to click on any suspected link or open infected files and is considered the pinnacle in surveillance technology, as it allows hackers to break into a person’s phone without alerting the victim.
Apple, in a blog post, said that it was issuing a security update for iPhones and iPads because a “maliciously crafted” PDF file could lead to hacking. Apple security chief Ivan Krstic also issued a statement saying that “after identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users”.
He added that in the past, such exploits typically cost millions of dollars to develop and often have a short shelf life. Though it is unclear at the moment how many Apple users might have been attacked using this vulnerability, Mr Krstic said such exploits “are not a threat to the overwhelming majority of our users”.
Users should get alerts on their iPhones prompting them to update the phone’s iOS software. The critical update comes ahead of an Apple event on Tuesday where the tech firm was slated to unveil a new product.
Citizen Lab alleged that their findings undermine the Israeli firm’s assertion that it sells software to law enforcement officials for use against criminals and terrorists and audits customers to make sure Pegasus is not misused.
“If Pegasus was only being used against criminals and terrorists, we never would have found this stuff,” said Mr Marczak.
Earlier in July, a global media consortium published a series of reports about the use of Pegasus to spy on journalists, activists, opposition leaders and political dissidents.
The reports revealed that the phone of the fiancee of Washington Post journalist Jamal Khashoggi was infected with the software just four days after he was killed in the Saudi Consulate in Istanbul in 2018. The CIA held the Saudi government responsible for the murder.
The revelations also led to protests in parliament against Indian prime minister Narendra Modi’s government for allegedly using the spyware against political opponents. The government has so far neither accepted nor denied the allegations of snooping.
In Hungary, the reports of spying led to calls for an investigation against the right-wing government, while in France the government is also trying to probe the allegations that an unidentified Moroccan security service used Pegasus to target president Emmanuel Macron and members of his government in 2019. Morocco, a French ally, has denied the allegations.
Additional reporting from the agencies