The headline says it all, folks. Apple just released an emergency patch to a security flaw that let NSO Group’s horrifying Pegasus spyware infect a target’s Apple devices — including their iPhones, iPads, Macs, and Apple Watches.
Are you, personally, likely to be targeted by shadowy hackers-for-hire? Probably not. But that doesn’t mean there’s a good reason to leave your Apple devices vulnerable.
To ensure your devices receive the update, check that you’re using iOS 14.8, iPad OS 14.8, watchOS 7.6.2, macOS Big Sur 11.6, and security update 2021-005 for macOS Catalina. According to Apple, compatible iOS and iPad OS devices include: “iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).”
In Apple’s terminology, the update is known as CVE-2021-30860, and it credits Citizen Lab for finding the vulnerability.
The zero-day exploit was uncovered by security researchers at the University of Toronto’s Citizen Lab, who put out a report detailing the exploit earlier today. The researchers say they stumbled on the flaw when looking into a Pegasus-infected phone that belonged to a Saudi activist, and found that NSO Group had likely exploited a so-called “zero-click” vulnerability in iMessage to get Pegasus onto the device. Unlike most low-level malware, these kinds of exploits require zero input on the user’s part — all NSO needed to do to break into this activist’s device was send over an invisible, malware-laden iMessage without their knowledge, according to the researchers. Past Citizen Lab reports have detailed NSO’s zero-click attacks on other devices, noting that in many cases, those harbouring an infected device “may not notice anything suspicious” is actually happening.
Meanwhile, as Citizen Lab researcher John Scott-Railton told the New York Times, whoever is behind the exploit can do “everything an iPhone user can do on their device and more” once it’s infected. This includes tracking any texts or emails sent, any calls made, and switching on a device’s camera without the user’s knowledge. Even if those communications happen over an encrypted app, like Signal or Telegram, NSO can still harvest that data and pass it back to their clientele, the Times reports.
It’s worth noting that Apple hardware has moved to address problems with zero-click vulnerabilities in the past, quietly tweaking the code underlying iOS this past February in an attempt to make these hacks harder to pull off.
We’ve reached out to Apple for comment on the update and will update here when we hear back.