BOSTON (AP) – Apple has released a critical software patch to fix a security vulnerability that researchers say could allow hackers to directly infect iPhones and other Apple devices without any action by user.
Researchers at the University of Toronto’s Citizen Lab said the security issue was exploited to plant spyware on the Saudi activist’s iPhone. They said they were very confident that the world’s most famous hacker-for-hire firm, Israel’s NSO Group, was behind that attack.
The previously unknown vulnerability has affected all major Apple devices – iPhones, Macs and Apple Watches, the researchers said. The NSO Group responded with a one -sentence statement that will continue to provide tools to combat “terrorism and crime.”
This is the first time a so-called “zero-click” exploit-one that doesn’t require users to click on suspected links or open infected files-has been caught and analyzed, researchers said. . They found the malicious code on September 7 and immediately alerted Apple. The targeted activist requested to remain anonymous, they said.
“We don’t necessarily attribute this attack to the Saudi government,” said researcher Bill Marczak.
Citizen Lab has previously seen evidence of the zero-click exploit used to hack into the phones of al-Jazeera journalists and other targets, but has not yet seen the malicious code itself.
Although security experts said the average iPhone, iPad and Mac user in general should not worry – such attacks are often limited to specific targets – the detection still worries security professionals.
The malicious image files were sent to the activist’s phone via the iMessage instant-messaging app before it was hacked using NSO’s Pegasus spyware, which would open a phone to eavedropping and remote data theft, said Marczak. It was discovered in a second telephone examination, which forensics showed to be infected in March. He said the malicious file caused the devices to crash.
Citizen Lab said the case revealed, once again, that the NSO Group allows its spyware to be used against ordinary civilians.
In a blog post, Apple said it was releasing a security update for iPhones and iPads because a “maliciously produced” PDF file could lead to them being hacked. It said it was aware that the issue could be exploited and mentioned Citizen Lab.
In a subsequent statement, Apple’s head of security Ivan Krstić praised Citizen Lab and said that such exploitation “is not a threat to so many users.” He said, as he used to, that such exploits typically cost millions of dollars to develop and often have a short shelf life. Apple did not respond to questions about whether this is the first time it has patched a zero-click vulnerability.
Users should get alerts on their iPhones that will prompt them to update the phone’s iOS software. Those who want to jump the gun can go to phone settings, click “General” then “Software Update,” and trigger the patch update directly.
Citizen Lab called IMessage to exploit FORCEDENTRY and said it was effective against Apple iOS, MacOS and WatchOS devices. It encouraged people to immediately install security updates.
Researcher John Scott-Railton said the news highlights the importance of securing popular messaging apps against such attacks. “Chat apps are increasingly becoming a primary way that nation-states and mercenary hackers are gaining access to phones,” he said. “And this is why it’s so important that companies focus on making sure they’re locked down as much as possible.”
The researchers said it also undermines NSO Group’s claims that it only sells its spyware to law enforcement officials for use against criminals and terrorists and to audit its customers to ensure it is not it is abused.
“If Pegasus was only used against criminals and terrorists, we would never find this thing,” Marczak said.
Facebook’s WhatsApp was also allegedly targeted by an NSO zero-click exploit. In October 2019, Facebook sued the NSO in U.S. federal court for allegedly targeting 1,400 users of an encrypted messaging service using spyware.
In July, a global media consortium published a damning report about how NSO Group clients had been spying for years on journalists, human rights activists, political anonymous, and people close to them, along with the hacker-for-hire group directly involved in the targeting Amnesty International said it had confirmed 37 successful Pegasus infections based on a leaked targeting list whose source was not disclosed.
One case involved the fiancee of Washington Post journalist Jamal Khashoggi just four days after he was killed at the Saudi Consulate in Istanbul in 2018. The CIA has linked the killing to the Saudi government.
Recent revelations have also prompted for an investigation into whether the Hungarian right-wing government used Pegasus to secretly track down critical journalists, lawyers and business figures. India’s parliament also erupted in protests as opposition lawmakers accused the government of Prime Minister Narendra Modi of using the product of NSO Groups to spy on political opponents and others.
France is also trying to land under allegations that President Emmanuel Macron and members of his government may have been targeted in 2019 by an anonymous Moroccan security service using Pegasus. Morocco, a key ally of France, has denied those reports and is taking legal action to counter allegations that the North African kingdom was involved in the spyware scandal.