Apple released a critical software patch to fix a security vulnerability that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action.
Researchers at the University of Toronto’s Citizen Lab said the security issue was exploited by planting spyware on the iPhone of a Saudi activist. They said they were very confident that the world’s most famous hacker firm, the Israeli group NSO, was behind the attack.
The previously unknown vulnerability affected all major Apple devices (iPhones, Macs and Apple Watches), the researchers said. The NSO group responded with a one-sentence statement saying it would continue to provide tools to combat “terror and crime.”
It was the first time a so-called “zero-click” exploit was captured and analyzed (which does not require users to click on suspicious links or open infected files), according to the researchers. On September 7, they found the malicious code and immediately alerted Apple. The target activist asked to remain anonymous, they said.
“We don’t necessarily attribute this attack to the Saudi government,” researcher Bill Marczak said.
Citizen Lab previously found evidence of zero-click exploits that were used to hack al-Jazeera journalists’ phones and other targets, but has not previously seen the malicious code.
While security experts say regular iPhone, iPad and Mac users generally don’t have to worry (these attacks are usually limited to specific targets), the discovery still alarmed security professionals.
The malicious image files were transmitted to the activist’s phone using the iMessage instant messaging application before it was hacked with NSO’s Pegasus spyware, which opens a phone to espionage and remote data theft, said Marczak. It was discovered during a second phone examination, that forensics showed they had been infected in March. He said the malicious file causes the devices to crash.
Citizen Lab claims the case reveals, once again, that the NSO group allows its spyware to be used against ordinary civilians.
In a blog post, Apple said it was issuing a security update for iPhones and iPads because a “malicious” PDF file could cause it to be hacked. He said he was aware the problem could have been exploited and cited Citizen Lab.
In a later statement, Apple’s head of security, Ivan Krstić, congratulated Citizen Lab and said that such arrangements “are not a threat to the vast majority of our users.” He noted, as he has done in the past, that these feats typically cost millions of dollars to develop and often have a short lifespan. Apple did not answer questions about whether this was the first time it had hit a zero-click vulnerability.
Users should receive alerts on their iPhones asking them to update their phone’s iOS software. Those who want to jump the gun can access the phone settings, click “General” and then “Software Update” and activate the patch update directly.
Screengrab / Apple
Citizen Lab called the operation iMessage FORCEDENTRY and said it was effective against Apple iOS, MacOS and WatchOS devices. People were urged to immediately install security updates.
Researcher John Scott-Railton said the news highlights the importance of protecting popular messaging apps against such attacks. “Chat apps are becoming increasingly important in a way that nation states and mercenary hackers have access to phones,” he said. “And that’s why it’s so important for companies to focus on making sure they’re as closed as possible.”
Investigators said it also undermines claims by the NSO group that it only sells its spyware to police officials to use against criminals and terrorists and audits its customers to make sure it is not abused.
“If Pegasus was only used against criminals and terrorists, we would never have found these things,” Marczak said.
Facebook’s WhatsApp was also allegedly the subject of an NSO zero-click exploit. In October 2019, Facebook sued the OSN in U.S. federal court for allegedly targeting about 1,400 users of the spyware-encrypted messaging service.
In July, a global media consortium released a distressing report on how NSO group clients have been spying on journalists, human rights activists, political dissidents and close people for years, with the hacker group directly involved in the orientation. Amnesty International said it had successfully confirmed 37 Pegasus infections based on a leaked target list whose origin was not disclosed.
One case involved the promise of Washington Post journalist Jamal Khashoggi just four days after he was assassinated at the Saudi consulate in Istanbul in 2018. The CIA attributed the murder to the Saudi government.
Recent revelations have also sparked an investigation into whether the Hungarian right-wing government used Pegasus to secretly monitor critical journalists, lawyers and business personalities. India’s parliament also erupted in protests when opposition lawmakers accused Prime Minister Narendra Modi’s government of using the product of NSO groups to spy on political and other opponents.
France is also trying to get to the bottom of allegations that President Emmanuel Macron and members of his government could have been targets in 2019 for an unidentified Moroccan security service using Pegasus. Morocco, a key French ally, has denied these reports and is taking legal action to counter accusations involving the North African kingdom in the spyware scandal.