The title says it all, people. Apple just announced emergency patch to a security breach permitted by the NSO Group scary Pegasus spyware infects Apple’s targets – including their iPhone, iPad, Mac and Apple watches.
Are you, personally, likely to be the target of hacking hackers for hire? Probably not. But that doesn’t mean there’s a good reason to leave your Apple devices vulnerable.
To get your devices up to date, make sure you’re using iOS 14.8, iPad OS 14.8, watchOS 7.6.2, macOS Big Sur 11.6 and security update 2021-005 for macOS Catalina. According to Apple, compatible iOS and iPad OS devices include: “iPhone 6s and newer versions, iPad Pro (all models), iPad Air 2 and newer, iPad 5th generation and newer, iPad mini 4 and newer, and iPod touch ( 7th generation). ”
In Apple’s terminology, the update is known as CVE-2021-30860, and recognizes the Citizen Lab for finding vulnerabilities.
Zero-day exploitation was discovered by security researchers from the Citizen Lab of the University of Toronto, who published report with details of exploitation earlier today. Researchers say they encountered an error looking at a phone infected with a Pegasus belonging to a Saudi activist, and found that the NSO group probably exploited the so-called “zero-click” vulnerability in iMessage to inject Pegasus into the device. Unlike most low-level malware, these types of abuse require zero user input — all NSOs that were supposed to break into this activist’s device were sent via invisible iMessage, malware without their knowledge, according to the researchers. Past Citizen Lab reports have described in detail NSO attacks on other devices without clicks, noting that in many cases those who hide an infected device “may not notice anything suspicious” actually happen.
Meanwhile, as a researcher for Citizen Lab, John Scott-Railton said The New York Times, whoever is behind the exploitation, can do “anything an iPhone user can do on their device and more” after becoming infected. This includes tracking all sent texts or emails, all calls made, and turning on the device camera without the user’s knowledge. Even if that communication takes place via an encrypted application, such as Signal or Telegram, the NSO can still collect that data and pass it on to its clientele, the Times reports.
It’s worth noting that Apple’s hardware has tackled vulnerability-free vulnerabilities in the past by quietly customizing the code at the core of iOS this past February in an attempt to make it more difficult to launch these hacks.
We have contacted Apple for comments on the update and will update it here when we respond.
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.