On Monday, Apple sprinted to release emergency software updates to patch a security vulnerability in its products. The move was in response to an alert from researchers at the University of Toronto’s cybersecurity watchdog organization, Citizen Lab. Researchers there found that a Saudi activist’s iPhone was infected with spyware from an Israeli company, NSO Group, The New York Times reported, leaving more than 1.65 billion Apple users worldwide exposed since at least March.
The timing is less than ideal for the company, which is unveiling its new iPhones today in a keynote event.
Usually, when malicious code worms its way into a device, it sends suspicious links through text or email, trying to get the users to click on it through phishing. But this particular spyware, called Pegasus, could infiltrate Apple devices without setting off any flags that made the user aware of its presence through a technique called a “zero click remote exploit.”
Once Pegasus arrives inside the device, it can access the camera, microphone, as well as messages, texts, emails, and calls that the user sends and receives. It can even see messages sent through apps that use encrypted messaging like Signal.
The NSO Group could presumably sell whatever it gleaned from the user’s digital life to its clients, which include governments around the world. Further, the Times has also reported that NSO previously used Pegasus to surveil activists, dissidents, lawyers, doctors, nutritionists and even children in countries like Saudi Arabia, the United Arab Emirates and Mexico.
Ivan Krstić, Apple’s head of security engineering and architecture, said in statements to multiple outlets that customers should install the latest software updates for the fixes to take effect. These would be iOS 14.8, MacOS 11.6 and WatchOS 7.6.2. To get there, users should go to their Settings, click the tab that says General, then click Software Update, and tap Download and Install for the latest version that’s available.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals,” Krstić added. John Scott-Railton, a researcher with Citizen Lab, also told WSJ that hacks like these are rare and expensive to fund.
Toby Lewis, Global Head of Threat Analysis at Darktrace, says in an email to PopSci that “while these attacks are not a threat to most Apple users, criminal attackers could use the access to steal personal data for bigger campaigns, fraud, theft, and potentially even mass user lockout to ask for payment.”
According to Lewis, cyber-attackers will always target companies like Apple, because their technology is so wide reaching and has become critical to our lives. We use it to do everything from navigating with maps to accessing bank accounts.
For its security architecture, Apple has long operated a so-called “walled garden” in which the underlying operating system on the phone is completely inaccessible to any third-party applications, Lewis explains. These applications, which can only be installed through the official App Store, undergo careful vetting before being assigned to a compartmentalized area of storage and processing. “The only real way for malware to become installed on an Apple device is by exploiting the underlying operating system – the process known as Jailbreaking,” Lewis says. This is different from systems like Android’s, which is a “more open affair.”
The benefit of the Android architecture is that it lets users install whatever applications they like, but they don’t have the protections Apple offers. “Even via the official App Store (Google Play), there is only limited vetting and moderation, increasing the risk of malware being installed without the need for a clever exploit,” Lewis says of the Android system.
As a precaution, Lewis advises all users who access proprietary information to update their systems immediately.
“Overall, Apple has a great track record of working with researchers to identify exploits so they can quickly patch. But that doesn’t mean the zero-day hadn’t already been exploited in the wild before it was identified,” Lewis notes. “The research group who discovered the exploit found it in March while examining a Saudi activist’s phone. Apple issued a patch in September.”
This exploit follows another systems-related controversy in August, where Apple faced pushback from privacy tech experts after rolling out a feature that would limit the spread of child sex abuse material (CSAM). An open letter addressing the company claimed that the “proposal introduces a backdoor that threatens to undermine fundamental privacy protections for all users of Apple products.”