Apple users have been urged to immediately update their devices after a tech watchdog uncovered an almost invisible security breach.
Israel’s NSO group, a cyber intelligence agency, was able to gain access to a Saudi activist’s iPhone through a vulnerability in the iMessage app.
The activist didn’t have to click anything to allow the access to occur and had no idea their privacy had been breached.
The flaw in Apple’s defences allowed NSO to infect the phone with its malicious Pegasus spyware, and could potentially have been used to access anyone’s device.
But don’t panic. Orchestrating these attacks is expensive and generally reserved for high profile targets.
On Monday, Apple released a fix to the problem. The tech giant said its latest software update responded to a “maliciously crafted PDF” that left devices susceptible.
“Apple is aware of a report that this issue may have been actively exploited”, the company wrote.
The issue was uncovered and reported to Apple by researchers from the University of Toronto’s The Citizen Lab.
The researchers discovered the breach while analysing the phone of a Saudi activist that had been infected with the Pegasus spyware.
They detected a “zero-click exploit” through iMessage, which allowed the hackers to gain access to the device without the activist’s knowledge. The Citizen Lab called this exploit FORCEDENTRY.
- Click here for the full report into FORCEDENTRY
FORCEDENTRY was used to infect the activist’s phone with NSO Group’s Pegasus spyware, which allowed them to turn on the camera and microphone remotely, as well as retrieve information.
One of Citizen Lab’s senior researchers, John Scott-Railton, told The New York Times Pegasus was virtually undetectable and had a huge scope for hackers.
“This spyware can do everything an iPhone user can do on their device and more,” Mr Scott-Railton said.
The surveillance technology has the potential to result in information being sold to governments and criminals alike.
The greatest concern is that “zero click” entry doesn’t send users a message or strange link to indicate that something is awry with their device, so the user might never know they have been hacked.
The Citizen Lab first noticed the attack in February 2021, and has since reported it to Apple.
Apple’s head of security engineering and architecture Ivan Krstić congratulated the watchdog for its findings on Monday, according to The New York Times.
Both The Citizen Lab and Apple have urged customers to install the latest software updates to all of their devices to fix the vulnerability.
The latest update, IOS 14.8 and iPadOS 14.8, includes a “patch” that aims to repair the breach in Apple’s existing security, according to Time.
The tech giant has assured customers attacks like these are not commonly used to target everyday people.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals,” Mr. Krstić said.
“Keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security”, Apple’s website says.
It comes just hours ahead of a “special” event for the global tech giant.
Most industry enthusiasts are certain the September 14 announcement will be used to unveil the iPhone 13, the latest in a long line-up of smartphones.
Since 2013, the company has delivered an annual device upgrade at this time of year. You could set your Apple watch by it, if it didn’t set itself.
Apple has not responded to The New Daily’s request for comment.