According to Citizen Lab, on Monday, Apple supplied a critical security update to fix the flaw, but the vulnerability was used in attacks by Israel’s NSO Group. Citizen Lab is an academic research group that investigates cyberattacks on journalists and dissidents.
“After identifying a vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Apple said in a statement. “We would like to commend Citizen Lab for successfully completing a very difficult task. For getting a sample of this feat so that we can develop this improvement quickly.”
The intrusion is particularly worrisome because researchers at Citizen Lab refer to it as a “zero click” attack, which means, unlike most other iPhone hacks, the user needs to click on a link or open a document to become infected. is not required. “Anyone with iMessage on their phone can silently become infected,” said John Scott-Railton, a researcher at Citizen Lab. “They won’t see anything.”
“People should update their devices immediately,” said Mr Scott-Railton.
Citizen Lab said the attack works against the iMessage software on Apple’s Mac computers, iPads and Apple Watches, in addition to the iOS operating system used by the iPhone.
Users who want to update their iPhone or iPad should go to Settings > General > Software Update, and tap Download and Install if an update is available. If the device shows iOS 14.8 or iPadOS 14.8, it is up to date and already patched.
Software Update on Mac can be found under System Preferences. The latest version is MacOS Big Sur 11.6. Apple Watches can be updated through the Apple Watch app on the iPhone under General > Software Update.
The update process can sometimes take extra time when multiple users are queuing to download new software.
The cyberattacks like those discovered by Citizen Lab cost millions of dollars to develop and are used to break into specific individuals’ devices and “do not pose a threat to the overwhelming majority of our users,” Apple said.
Citizen Lab linked the flaw to NSO Group, which sells hacking tools used by governments around the world to conduct surveillance.
Asked to comment on a report that Citizen Lab published on the issue on Monday, an NSO spokesperson said, “The NSO Group provides intelligence and law enforcement agencies around the world with life-saving techniques to fight terror and crime. will continue to provide.”
The software used in the iPhone attacks is “a rare and probably expensive thing and it represents a considerable amount of development work,” Mr Scott-Railton said.
Citizen Lab began pulling threads leading to the bug’s discovery in March, when they discovered that an anonymous Saudi worker’s phone had been infected with Pegasus software, created by the NSO Group to monitor phone movements. Was.
At the time, it was unclear how Pegasus was set up, but last week, while examining a backup of the phone, Citizen Lab discovered a copy of the attack code by exploiting a bug in Apple’s image processing. , which was used to infect it. Software, Mr Scott-Railton said.
Mr Scott-Railton said, “What showed up were a bunch of files labeled as GIFs but they weren’t actually GIFs.” “They included this exploit that exploited Apple’s image processing.” GIF is an image file-formatting standard.
Citizen Lab said that upon examining the files, Citizen Lab discovered attack code belonging to the NSO Group, which was established based on naming conventions and the behavior of the software.
While Apple has invested heavily in bolstering the iPhone’s reputation for privacy and security, that reputation has come under strain this year. Earlier this month, the company halted the rollout of a system developed to detect child pornography on its phones after critics said it could undermine the privacy of the iPhone.
Apple has had to fix an unusually large number of iPhone bugs this year, many of which have been exploited by cyber attackers, according to Katie Mausoris, chief executive officer of Luta Security, a firm that works with outside security researchers. advises companies to “Zero-click is both rare and particularly dangerous,” she said, “though I’m more concerned about how many new unexploited iOS security holes have been exploited this year.”
Don’t miss a story! Stay connected and informed with Mint.
download
Our App Now!!
.