CYBER boffins have discovered a new iMessage bug that was used to hack into people’s iPhones.
According to a Toronto-based research lab, attackers exploited the flaw to infect iPhones with the military-grade spyware, Pegasus.
Pegasus can film users through their device’s camera, record conversations, listen to calls and can send messages.
Versions of it have been used by government agencies to target politicians, journalists and even Boris Johnson’s computer network.
A newly uncovered exploit through which Pegasus was secretly installed onto iPhones was exposed by Citizen Lab, a digital research facility based at the University of Toronto.
It was used on iPhones belonging to Catalan politicians, journalists, and activists in late 2019 and early 2020.
In a blog post on Sunday, researchers explained that the previously unknown iOS security flaw dubbed HOMAGE affects some versions before iOS 13.2.
The current version of iOS is 15.4. Any iPhone user on a version of iOS later than 13.2 is safe from the exploit after Apple patched the issue.
“Among Catalan targets, we did not see any instances of the HOMAGE exploit used against a device running a version of iOS greater than 13.1.3,” Citizen Lab said.
“It is possible that the exploit was fixed in iOS 13.2.
Most read in Phones & Gadgets
“We are not aware of any zero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1.”
The victims of the attacks include Catalan Members of the European Parliament (MEPs) and every Catalan president since 2010.
The research lab also listed Catalan legislators, jurists, journalists, and members of civil society organisations and their families.
Citizen Lab said it has provided Apple with information to help the iPhone-maker investigate the source of the attacks.
“At this time the Citizen Lab is not conclusively attributing these hacking operations to a particular government,” Citizen Lab added.
“However, a range of circumstantial evidence points to a strong nexus with one or more entities within Spanish government.”
PEGASUS HITS DOWNING ST
It follows the revelation over the weekend that Boris Johnson’s computer network had been targeted by Pegasus in a shock security breach.
Citizen Lab claimed the software was discovered on a device using Number 10’s network on July 7, 2020.
They said a similar breach also happened at the Foreign Office.
Hackers were linked to the UAE, India, Cyprus, and Jordan, a New Yorker investigation claimed.
Several Downing Street devices were tested – including Mr Johnson’s – but officials could not establish which device was infected, it added.
Scientists are unclear about what data hackers could have had access to – but they do suspect information was taken.
Senior researcher at Citizen Lab John Scott-Railton said his “jaw dropped” when he uncovered the cyber attack.
He said the UK were “spectacularly burned” after “underestimating the threat from Pegasus”.
The software could have been added to devices abroad “using foreign SIM cards”, scientists suggested.
A government spokesperson said they do not comment on security matters.
WHAT IS PEGASUS?
Pegasus is military-grade software – which can be secretly uploaded onto a smartphone or device – and has been around since 2016.
It was designed by Israeli company NSO Group – also called Q Cyber Technologies.
The spyware can film you through your phone camera, listen to calls and send messages.
Scientists also fear it can be used to pinpoint where someone is and who they have met.
It has known to have targeted both Apple and Android devices.
Pegasus – which avoids detection using anti-virus software – used to be installed on smartphones by encouraging victims to click on a link.
But a newer version of the spyware can load on a phone without the user needing to tap anything.
- Read all the latest Phones & Gadgets news
- Keep up-to-date on Apple stories
- Get the latest on Facebook, WhatsApp and Instagram
Best Phone and Gadget tips and hacks
Looking for tips and hacks for your phone? Want to find those secret features within social media apps? We have you covered…
We pay for your stories! Do you have a story for The Sun Online Tech & Science team? Email us at email@example.com