Apple released an emergency software patch to fix a security vulnerability that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action.
The researchers at the University of Toronto’s Citizen Lab said the flaw allowed spyware from the world’s most infamous hacker-for-hire firm, NSO Group, to directly infect the iPhone of a Saudi activist.
The flaw affected all Apple’s operating systems, the researchers said
It was the first time a so-called “zero-click” exploit had been caught and analyzed, said the researchers, who found the malicious code on Sept. 7 and immediately alerted Apple. They said they had high confidence the Israeli company NSO Group was behind the attack, adding that the targeted activist asked to remain anonymous.
Although security experts say that average iPhone, iPad and Mac user generally need not worry — such attacks tend to be highly targeted — the discovery still alarmed security professionals.
News of the nefarious uses of NSO Group’s Pegasus software first surfaced in July. Apple was notified earlier this month by researchers with Citizen Lab – an internet security watchdog group based at the University of Toronto – that a zero-day vulnerability in its iOS 14.8 and iPadOS 14.8 operating system was being exploited by the invasive Pegasus spyware. The exploit impacts every iPhone, iPad, Mac and Apple Watch.
The Pegasus spyware has been an ongoing source of controversy. Users of the spyware are able to extract data – including emails, messages and photos – from devices and also can record calls and activate microphones and cameras.
According to a report by Citizen Lab researchers, they were analyzing the phone of a Saudi activist that they soon determined had been infected with Pegasus. During the investigation, the researchers discovered a zero-day, zero-click exploit against iMessage, which they dubbed “ForcedEntry.” The exploit – labeled CVE-2021-30860 – targets an integer overflow vulnerability in Apple’s CoreGraphics image rendering library, they wrote.
The researchers suspect ForcedEntry has been in use since at least February. It doesn’t require users to click on fraudulent links or open malicious files to infect a device. The researchers urged users of the devices to download the fixes.
Fast Fixes by Apple
Citizen Lab contacted Apple about ForcedEntry Sept. 7, and less than a week later the vendor issued the fixes.
In a statement, Ivan Krstic, head of security engineering and architecture operations at Apple, thanked Citizen Lab for sending a sample of the exploit to the company, enabling it to issue a fix.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Krstic said. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”