Security researchers say Israel’s NSO Group has been exploiting the vulnerability since February
An Israeli cybersecurity firm has been exploiting a significant Apple Inc. AAPL 0.39% software vulnerability since February to silently infect iPhones using iMessage, the company’s messaging software, according to the research group that discovered the issue.
On Monday, Apple supplied a critical security update fixing the flaw, but the vulnerability had been used in attacks by Israel’s NSO Group, according to Citizen Lab. Citizen Lab is an academic research group that investigates cyberattacks on journalists and dissidents.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Apple said in a statement. “We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”
The intrusion is particularly worrisome because it is what researchers at Citizen Lab refer to as a “zero click” attack, meaning, unlike most other iPhone hacks, the user doesn’t need to click on a link or open a document to be infected. “Anyone with iMessage on their phone could be silently infected,” said John Scott-Railton, a researcher with Citizen Lab. “They would see nothing.”
“People should update their devices immediately,” Mr. Scott-Railton said.
In addition to the iOS operating system used by the iPhone, the attack works against the iMessage software on Apple’s Mac computers, the iPad, and Apple Watches, Citizen Lab said.
Users who want to update their iPhone or iPad should go to Settings > General > Software Update, and tap Download and Install if an update is available. If the device shows iOS 14.8 or iPadOS 14.8, it is up to date and already patched.
On Macs the software update can be found under System Preferences. The newest version is MacOS Big Sur 11.6. Apple Watches can be updated via the Apple Watch app on an iPhone, under General > Software Update.
The update process can sometimes take extra time when many users are queuing to download the new software.
Cyberattacks like the one discovered by Citizen Lab cost millions of dollars to develop and are used to break into the devices of specific individuals and “are not a threat to the overwhelming majority of our users,” Apple said.
Citizen Lab linked the flaw to NSO Group, which sells hacking tools used by governments world-wide to conduct surveillance.
Asked to comment on a report that Citizen Lab published on the issue Monday, an NSO spokesman said, “NSO Group will continue to provide intelligence and law enforcement agencies around the world with lifesaving technologies to fight terror and crime.”
The software used in the iPhone attacks “is rare and probably expensive thing and it would have represented a substantial amount of development work,” Mr. Scott-Railton said.
Citizen Lab began pulling on the threads that led to the bug’s discovery in March, when they found that a phone belonging to an anonymous Saudi activist had been infected by the Pegasus software, which was built by NSO Group to monitor the phone’s activities.
At the time, it was unclear how Pegasus had been installed, but last week, while examining a backup of the phone, Citizen Lab discovered a copy of the attack code that had been used to infect it, by exploiting a bug in Apple’s image processing software, Mr. Scott-Railton said.
“What showed up there was a bunch of files labeled as GIFs but they weren’t actually GIFs,” Mr. Scott-Railton said. “They contained this exploit that exploited Apple’s image processing.” GIF is an image file-formatting standard.
Examining the files, Citizen Lab discovered attack code that it linked to NSO Group, based on the naming conventions and behavior of the software it installed, Citizen Lab said.
While Apple has invested heavily in bolstering the iPhone’s reputation for privacy and security, that reputation has come under strain this year. Earlier this month, the company paused the rollout of a system it had developed for detecting child pornography on its phones, after critics said it could undercut the iPhone’s privacy.
Apple has also had to fix an unusually large number of iPhone bugs this year, many of which have been exploited by cyberattackers, according to Katie Moussouris, chief executive of Luta Security, a firm that advises companies on how to work with outside security researchers. “Zero-click is both rare and especially dangerous,” she said, “though I’m more concerned with how many new unpatched iOS security holes have been exploited this year.”