Apple has issued an emergency software update after cyber security researchers said they had uncovered a new vulnerability allowing hackers to deploy Israeli company NSO Group’s spyware tool through iMessage.
The iPhone maker issued a patch on Monday to fix the flaw, which was discovered by researchers at the University of Toronto’s Citizen Lab after they analysed the iPhone of a Saudi activist that had been infected with spyware developed by NSO.
According to Citizen Lab, the vulnerability allowed hackers to access a target’s iPhone, Mac computer or Apple Watch via iMessage, without the user needing to click on a malicious link. The exploit, dubbed “FORCEDENTRY” by the researchers, is known as a “zero-click” attack.
The report added that military spyware manufacturer NSO had “used the vulnerability to remotely exploit and infect the latest Apple devices” with its spyware, known as Pegasus, “since at least February 2021”.
NSO develops and sells its exploits to government agencies as off the shelf software. It was founded in 2010 and rose to prominence in 2019 when it was reported that the group could “drop its payload” of malware on to unsuspecting iPhones and Android phones by ringing a user over WhatsApp.
NSO’s Pegasus was in July linked to phones belonging to dozens of journalists, human rights activists and politicians, according to an investigation by a consortium of newspapers. Civil rights activists say the software — which requires an Israeli government licence for export because it is viewed as a weapon — can be used for unlawful surveillance, not just by certain governments to target terrorists and criminals.
In a statement on Monday, the company said: “NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime.”
Citizen Lab said that its discovery of another previously unknown vulnerability on Apple hardware “illustrates that companies . . . are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.”
Apple said that it was issuing the patch because “processing a maliciously crafted PDF may lead to arbitrary code execution”. It said it was “aware of a report that this issue may have been actively exploited”.
Separately, Ivan Krstić, head of security engineering and architecture at Apple, said in a statement that “attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” adding that they were “not a threat to the overwhelming majority of our users”.
Nevertheless, the revelation could further dent the image of iOS as a more secure operating system than Android. Apple has long emphasised that no system can be 100 per cent secure from hackers.
Citizen Lab said that chat apps in particular had become “a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them”.