Tech giant Apple has released an emergency software patch for iPhone, iPad, Apple Watch and Mac computers which addresses a critical vulnerability to spyware from Israel’s NSO Group, the company behind mobile spyware Pegasus.
According to a report in the New York Times, the tech giant moved at warp speed to develop the patch, following findings from the University of Toronto’s cybersecurity watchdog organization Citizen Lab.
“This spyware can do everything an iPhone user can do on their device and more,” Citizen Lab researcher John Scott-Railton told The New York Times. “Popular chat apps are at risk of becoming the soft underbelly of device security. Securing them should be top priority.”
The exploit, which Citizen Lab calls FORCEDENTRY, targets Apple’s image rendering library and was effective against Apple iOS, MacOS and WatchOS devices. The organization said it believes the exploit has been in use since at least February 2021.
The zero-click attack tool also took advantage of a previously unknown security vulnerability in Apple’s iMessage platform, allowing malicious actors to gain access to a user’s texts, emails and phone calls. The spyware can also turn on the device’s cameras and microphones.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Ivan Krstić, head of Apple Security Engineering and Architecture, said in a statement. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.”
He added that while that means those attacks are not a threat to the “overwhelming majority” of Apple users, the company continues to work to defend all their customers.
“We are constantly adding new protections for their devices and data,” the statement continued.
Hank Schless, senior manager of security solutions at Lookout, an endpoint-to-cloud security company, said this type of spyware exemplifies how important it is for both individuals and enterprise organizations to have visibility into the risks their mobile devices present.
“Pegasus is an extreme but easily understandable example,” he said.
Schless explained there are countless pieces of malware out there that can easily exploit known device and software vulnerabilities to gain access to an individual’s most sensitive data.
“From an enterprise perspective, leaving mobile devices out of the greater security strategy can represent a major gap in the ability to protect the entire infrastructure from malicious actors,” he explained. “Once the attacker has control of a mobile device or compromises the user’s credentials, they have free access to your entire infrastructure.”
He pointed out that since Lookout and The Citizen Lab first discovered Pegasus five years ago, it has continued to evolve and take on new capabilities.
“While the malware has adjusted its delivery methods, the basic exploit chain remains the same,” Schless said.
Pegasus is delivered via a malicious link that’s been socially engineered to the target. The vulnerability is exploited and the device is compromised; then the malware communicates back to a command-and-control (C2) server that gives the attacker free reign over the device.
“Many apps will automatically create a preview or cache of links in order to improve the user experience,” he said. “Pegasus takes advantage of this functionality to silently infect the device.”
NSO Group’s military-grade spyware had been used to hack the smartphones of business leaders, heads of state, activists, journalists, politicians and others, and is designed to surreptitiously capture information through the victim’s smartphone.
“Despite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains the seeds of their ongoing unmasking,” Citizen Lab noted in its report conclusion.
While the commercial spyware is ostensibly used to catch terrorists and criminals, findings from the Pegasus Project, based on a leaked list of over 50,000 phone numbers believed to belong to individuals identified as “persons of interest” by NSO Group’s clients, showed how easily such tools can be turned against members of civil society.
A statement from NSO to Reuters neither confirmed nor denied the zero-click hacking method, but confirmed that it would “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”
Even with Apple’s sterling security reputation and its recent introduction of a security feature known as BlastDoor—intended to beef up the defense against sophisticated spyware like Pegasus—spyware vulnerabilities are likely to plague smartphone users for years, particularly as the complexity of smartphone OSes grows with each new update and added feature set.
Apple’s security patch—and the corresponding risks unpatched devices have for their users—is another reminder for organizations that they must treat these devices as mission-critical to business continuity.
Because of the wealth of data that can be accessed from a mobile device, having control and visibility into what is happening on that device is critical to preventing spyware attacks, which can in turn steal or compromise critical data.
Kevin Dunne, president at Pathlock, a provider of unified access orchestration, said organizations often focus on their servers and workstations as the primary targets for hacking and espionage.
“However, mobile devices are now used broadly and contain sensitive information that needs to be protected,” he said. “Spyware is primarily targeting these mobile devices and providing critical information to unauthorized parties.”
To protect themselves against spyware, Dunne said organizations must look more closely at their mobile device security strategy.
“In the past, users could be trained to avoid spyware infections by looking out for suspicious SMS messages and making sure not to click on links from any numbers they did not recognize,” he said. “However, spyware attackers have now engineered zero-click attacks which are able to get full access to a phone’s data and microphone or camera by using vulnerabilities in third-party apps or even built-in applications.”
From Dunne’s perspective, organizations need to make sure they have control over the applications users download onto their phones and can ensure they are up-to-date so any vulnerabilities are patched.
Mental telehealth startup Cerebral says it will stop sharing sensitive consumer health information with third parties, make it easier for…
MixMode today announced enhancements to the MixMode Platform aimed at reducing risk and empowering security teams. Featured enhancements include AI-powered…
Authors/Presenters: *Madelyne Xiao, Mona Wang, Anunay Kulshrestha, and Jonathan Mayer* Many thanks to USENIX for publishing their outstanding USENIX Security…
Navigating the complex world of IT risk and compliance can be daunting for many organizations. However, with the right insights,…
The stakes for safeguarding sensitive information have never been higher. Cyber Data loss can lead to severe consequences, including financial…
Industrial control systems, application containers, and mobile devices are the top contenders on this year's list of the most difficult…