Apple issues urgent security update for all iPhone, iPad and Mac users

Calling the exploit Forcedentry, Citizen Lab said that the security vulnerability makes all Apple device susceptible to snooping

Namita Singh
Tuesday 14 September 2021 08:48 BST
Comments
Pegasus spyware: How does it work?
Leer en Español

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Apple has released a critical software patch to fix a major security vulnerability, after researchers found spyware could exploit it to hack directly into iPhones and other Apple devices without so much as a click from the user.

Researchers at the University of Toronto’s Citizen Lab said they found malicious image files being transmitted to the phone of a Saudi activist, who wished to remain anonymous, via the iMessage instant-messaging app. The device was then hacked by the Pegasus spyware developed by Israel’s NSO Group, they alleged.

Calling the iMessage exploit Forcedentry, Citizen Lab said that the security vulnerability makes the phones susceptible to eavesdropping and remote data theft, and that it applied to all Apple devices. Forensics revealed that the activist’s phone had been infected back in March, adding that the malicious files caused the phone to crash.

The vulnerability was found in the activist’s iPhone on 7 September, following which Citizen Lab said it immediately alerted Apple. The NSO group licenses its Pegasus spyware tool to government agencies and police forces to investigate criminal activity, but Citizen Lab researcher Bill Marczak said: “We’re not necessarily attributing this attack to the Saudi government.”

Issuing a statement, the NSO Group said that it will continue providing tools for fighting "terror and crime".

Also a “zero-click” exploit, Pegasus doesn’t require users to click on any suspected link or open infected files and is considered the pinnacle in surveillance technology, as it allows hackers to break into a person’s phone without alerting the victim.

Apple, in a blog post, said that it was issuing a security update for iPhones and iPads because a "maliciously crafted" PDF file could lead to hacking. Apple security chief Ivan Krstic also issued a statement saying that “after identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users”.

He added that in the past, such exploits typically cost millions of dollars to develop and often have a short shelf life. Though it is unclear at the moment how many Apple users might have been attacked using this vulnerability, Mr Krstic said such exploits “are not a threat to the overwhelming majority of our users”.

Users should get alerts on their iPhones prompting them to update the phone’s iOS software. The critical update comes ahead of an Apple event on Tuesday where the tech firm was slated to unveil a new product.

Citizen Lab alleged that their findings undermine the Israeli firm’s assertion that it sells software to law enforcement officials for use against criminals and terrorists and audits customers to make sure Pegasus is not misused.

"If Pegasus was only being used against criminals and terrorists, we never would have found this stuff," said Mr Marczak.

Earlier in July, a global media consortium published a series of reports about the use of Pegasus to spy on journalists, activists, opposition leaders and political dissidents.

The reports revealed that the phone of the fiancee of Washington Post journalist Jamal Khashoggi was infected with the software just four days after he was killed in the Saudi Consulate in Istanbul in 2018. The CIA held the Saudi government responsible for the murder.

The revelations also led to protests in parliament against Indian prime minister Narendra Modi’s government for allegedly using the spyware against political opponents. The government has so far neither accepted nor denied the allegations of snooping.

In Hungary, the reports of spying led to calls for an investigation against the right-wing government, while in France the government is also trying to probe the allegations that an unidentified Moroccan security service used Pegasus to target president Emmanuel Macron and members of his government in 2019. Morocco, a French ally, has denied the allegations.

Additional reporting from the agencies

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in