BOSTON – Apple released a critical software patch to fix a security vulnerability that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action.
Researchers at the University of Toronto’s Citizen Lab said a security issue was exploited to install spyware on a Saudi worker’s iPhone. He said he was confident that the world’s most notorious hacker-for-hire firm, Israel’s NSO Group, was behind the attack.
The previously unknown vulnerability affected all major Apple devices – iPhones, Macs and Apple Watches, the researchers said. The NSO group responded with a sentence statement that it would continue to provide tools to fight “terror and crime”.
Researchers said this was the first time a so-called “zero-click” exploit — which doesn’t require users to click on suspicious links or open infected files — was caught and analyzed. They found the malicious code on September 7th and immediately alerted Apple. He said the targeted activist asked to remain anonymous.
“We are not necessarily blaming the Saudi government for this attack,” said researcher Bill Markzak.
Citizen Lab previously found evidence of zero-click exploits being used to hack the phones of Al-Jazeera journalists and other targets, but did not first see the malicious code itself.
Although security experts say the average iPhone, iPad, and Mac user usually doesn’t have to worry—such attacks are limited to specific targets—the finding still worries security professionals.
Markzak said the malicious image files were transmitted to the worker’s phone via the iMessage instant-messaging app before it was hacked with NSO’s Pegasus spyware, which leaves a phone vulnerable to eavesdropping and remote data theft. This was revealed during a second examination of the phone, which forensics in March revealed that it was infected. He said that the malicious file causes the devices to crash.
Citizen Lab says this case once again shows that NSO Group is allowing its spyware to be used against civilians.
In a blog post, Apple said it is releasing a security update for iPhones and iPads because of a “maliciously crafted” PDF file that could be hacked. It said it was aware that the issue could be exploited and cited Citizen Lab.
In a later statement, Apple security chief Evan Christic commended Citizen Lab, saying such exploits “do not pose a threat to the overwhelming majority of our users.” He noted, as he has done in the past, such exploits typically cost millions of dollars to develop and often have a short shelf life. Apple did not respond to questions about whether this was the first time it had patched a zero-click vulnerability.
Users should receive an alert on their iPhone prompting them to update the phone’s iOS software. Those who want to jump the gun can head into the phone’s settings, click “General” and then “Software Update” and trigger the patch update directly.
Citizen Lab called iMessage an exploit of FORCEDENTRY and said it was effective against Apple iOS, MacOS and WatchOS devices. It urged people to install security updates immediately.
Researcher John Scott-Railton said the news highlights the importance of keeping the popular messaging app secure against such attacks. “Chat apps are rapidly becoming a major way nation-states and hackers for hire are gaining access to phones,” he said. “And that’s why it’s so important that companies focus on making sure they are as closed as possible.”
Researchers said it also undermines NSO Group’s claims that it only sells its spyware to law enforcement officials for use against criminals and terrorists, and audits its customers to ensure it is not misused. .
“If Pegasus was only being used against criminals and terrorists, we would never have found this stuff,” Markzak said.
Facebook’s WhatsApp was also reportedly targeted by an NSO zero-click exploit. In October 2019, Facebook sued NSO in US federal court for allegedly targeting some 1,400 users of the encrypted messaging service with spyware.
In July, a global media consortium published a damning report on how NSO Group clients have been spying on journalists, human rights activists, political dissidents and people close to them for years, including directly from the hacker-for-hire group . targeting. Amnesty International said it confirmed 37 successful Pegasus infections based on a leaked target list whose origins were not disclosed.
One case involved the fiancé of Washington Post journalist Jamal Khashoggi, four days after she was killed at the Saudi consulate in Istanbul in 2018. The CIA blamed the Saudi government for the murder.
The recent revelations also called for an investigation into whether Hungary’s right-wing government used Pegasus to covertly monitor important journalists, lawyers and business figures. India’s parliament also erupted in protest as opposition lawmakers accused Prime Minister Narendra Modi’s government of using the product of the NSO group to spy on political opponents and others.
France is also trying to get to the bottom of allegations that President Emmanuel Macron and members of his government may have been targeted in 2019 by an unnamed Moroccan security service using Pegasus. A major French ally, Morocco, denied those reports and is taking legal action to counter allegations that the North African kingdom was involved in a spyware scandal.