Apple has released an emergency software patch to fix a vulnerability that researchers said could allow hackers to directly infect iPhones and other devices without user intervention.
Researchers at the University of Toronto’s Citizen Lab said the bug allowed spyware from the world’s most notorious hacker-for-hire company, NSO Group, to directly infect a Saudi activist’s iPhone.
The bug affected all of Apple’s operating systems, the researchers said.
It was the first time that a so-called “zero-click” exploit had been intercepted and analyzed, said the researchers, who found the malicious code on September 7 and immediately alerted Apple.
They said they had great confidence in the Israeli company NSO Group, which was behind the attack, adding that the attacked activist wishes to remain anonymous.
“We don’t necessarily attribute this attack to the Saudi government,” said researcher Bill Marczak.
Although Citizen Lab previously found evidence that zero-click exploits were used to hack the phones of al-Jazeera journalists and other targets, “This is the first time the exploit was recorded for us find out how it works, ”said Mr Marczak.
Although security experts say the average iPhone, iPad, and Mac users generally need nothing to worry – such attacks are typically very targeted – the discovery still alarmed security experts.
Malicious image files were transferred to the activist’s phone through the iMessage instant messaging app before it was hacked with NSO’s Pegasus spyware that opens a phone for remote eavesdropping and data theft, Marczak said.
It was discovered during a second scan of the phone, which was infected in March. He said the malicious file causes devices to crash.
The NSO Group did not immediately respond to an email asking for comment.
In a blog post, Apple announced that it was releasing a security update for iPhones and iPads, as a “maliciously created” PDF file could cause them to be hacked.
It said it was aware that the problem may have been exploited, citing Citizen Lab. Apple didn’t immediately respond to questions about whether this was the first time a zero click had been patched.
Citizen Lab named the iMessage exploit FORCEDENTRY and said it was effective against Apple iOS, MacOS, and WatchOS devices.
Researcher John Scott-Railton said the news underscores the importance of securing popular messaging apps against such attacks.
“Chat apps are becoming an increasingly important way for nation states and mercenary hackers to gain access to phones,” he said. “And that’s why it’s so important that companies focus on making sure they’re locked down as much as possible.”
The researchers said it also reveals – again – that NSO’s business model is to sell spyware to governments that abuse it, not just law enforcement agencies who hunt down cyber criminals and terrorists, as NSO claims.
“If Pegasus were only used against criminals and terrorists, we would never have found this stuff,” said Marczak.
Facebook’s WhatsApp was also allegedly attacked by an NSO zero-click exploit. In October 2019, Facebook sued NSO in a US federal court for allegedly targeting around 1,400 users of the encrypted messaging service with spyware.
In July, a global media consortium released a damning report on how NSO Group’s clients have been spying on journalists, human rights activists, political dissidents and their loved ones for years, with the hackers-for-hire group targeted.
Amnesty International said it confirmed 37 successful Pegasus infections based on a leaked targeting list, the origin of which has not been disclosed.
One concerned the fiancée of Washington Post journalist Jamal Khashoggi just four days after he was murdered at the Saudi consulate in Istanbul in 2018. The CIA attributed the murder to the Saudi government.
For stories from where you live, visit Near you.