Apple users are being asked to install a security update after researchers found a flaw that hackers could use to access devices without any user action.
Researchers from the Citizen Lab at the University of Toronto said in a report A “zero-click exploit” was found in iMessage on a Saudi worker’s iPhone on Monday. Apple released a software patch on Monday in response to the exploit.
Researchers said the previously unknown vulnerability affected all major Apple devices: iPhones, Macs and Apple Watches.
So who is at risk, and how does it work?
John Scott-Railton, a senior researcher at Citizen Lab, told Granthshala News that “zero-click” is a hacking method designed to infiltrate a user’s device without them knowing.
“We’re all familiar with the idea that we’re going to get suspicious messages, malware, and phishing, but it’s something we’re educated to be able to identify and can’t fall for,” he said.
“Zero-click means that someone you probably don’t know… can remotely target and infect your device without any interaction… you see nothing, you nothing Listen and suddenly your device becomes a digital spy in your pocket.”
In other words, unlike fake messages from delivery services and tax agencies that ask to click a link to resolve some obscure issues, zero-click is invisible.
Scott-Relton said researchers discovered the hack last week while examining a Saudi worker’s iPhone that was infected with Pegasus spyware, a surveillance program run by Israeli tech company NSO Group.
When they were looking at the phone, they found that the malicious image files were sent via iMessage, before it had been hacked with Pegasus spyware. Then the infected phones would crash.
This was detected during the second investigation, which revealed that the phone had been infected in March.
“Those files, as it turned out, were real code resulting in what’s called a zero-click, zero-day exploit. This is real code that would remotely infect and take over the phone,” said Scott-Relton said.
He described it as “a huge discovery”.
“The interesting thing about this is that until the patch went up, everyone who had an Apple device could potentially be hacked using this vulnerability.”
After being alerted by Citizen Lab, Apple on Monday announced that it has fixed a flaw in a software update.
“After identifying a vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” said Evan Christic, Apple’s head of security engineering and architecture. said in a statement.
“The attacks that have been described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.”
At this point, it’s not clear if anyone else has been targeted, but the Citizen Lab researchers said in their report that they believe the hacking method has been in use since February. They attribute the attack to the NSO Group.
NSO would not confirm to Reuters that it was behind the hack, but said in a statement that it would “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”
Reuters further reported that the FBI is investigating NSO, and Israel has formed a senior inter-ministerial team to assess allegations that its spyware has been misused globally.
Even though NSO said it investigates the governments it sells to, its Pegasus spyware has been traced to the phones of activists, journalists and opposition politicians in countries with poor human rights records.
Scott-Relton said hacks like this will happen again, and that people should care about what this discovery shows.
“There’s an industry of companies busy finding and stockpiling ways to quietly hack their phones, and then selling them to people who want to help manufacturers make their phones more secure than they are for them.” can pay,” he said.
“The other reason people need to care is because the long-term business model of many companies like NSO Group … is to sell to local authorities, local police departments.”
Scott-Railton added that most governments in the world, including Canada, “don’t have strong rules about what police can and can’t do with such invasive technology, and even then the rules were already in place.” Technology may come.”
With Apple rolling out a security update, Scott-Railton encourages all users to install it as soon as possible.
He wrote in a tweet on Monday that companies need to increase security around instant messaging apps.
“Popular chat apps are the soft underbelly of device security,” he said. “They’re on every device, and some have unnecessarily large attack surfaces.”