Apple released security updates for a vulnerability that affects the iPhone, iPad, Mac and Apple Watch. The vulnerability was discovered by the University of Toronto’s Citizen Lab in August. Apple said iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS, will remove the vulnerability that it said “may have been actively exploited,” according to a news report.
Citizen Lab said the vulnerability exploited a flaw in Apple’s iMessage, allowing attackers to insert Israel-based NSO Group’s Pegasus spyware into the phones of political activists. The exploit takes advantage of a weakness in the ways in which Apple devices render images on the display.
Citizen Lab said it reported its findings to Apple on 7 September. Apple pushed out the updates for the vulnerability, known officially as CVE-2021-30860. Citizen Lab said it attributes the exploit to NSO Group.
The spyware implanted in Apple devices is of a type known as a “zero-click exploit,” meaning one whose presence remains completely unknown to the victim because there is no potentially suspicious contact that can be identified as an entry point. This makes the attack especially insidious. It is believed that only a group as technologically sophisticated as the Israeli spyware design firm NSO is capable of creating and implementing such a hack.
Typically, vulnerabilities in supposedly secure systems are fixed within days or weeks, but this one appears to have been in force since March 2021 and could not be fixed earlier because its very existence was unknown. Apple says that the software patch it has just released will “fix the critical flaw” in their operating systems. That is, one supposes, comforting to the millions of Apple users, but the Pegasus breach was never intended for mass surveillance or any kind of ordinary cybercrimes. NSO sells its services to governments—only democratic ones that follow international norms, it says, for the purposes of fighting terrorists and criminals, but its products may have been used by Saudi Arabia, Morocco, Mexico and India, among others, for surveillance that targeted journalists and dissidents. While that is deeply concerning from a human-rights point of view, it points to the fact that Pegasus was never a threat to the vast majority of Apple users.
However, the fact that such a security breach could be opened up, and that it could go undetected for a long period of time, is enough to instill a deep sense of discomfort in any user of Apple devices. And users of other devices with other operating systems are justified in feeling equally vulnerable. In addition to device and manufacturers and OS designers, mobile operators are the other half of the equation, and this incident should be a strong reminder that when users feel potentially unsafe in their use of mobile devices, MNOs should also feel nervous about possibly losing business if subscribers decide to reduce their level of usage in any way due to these fears. Of course, the situation also opens up an opportunity for MNOs to take up the cause of cybersecurity in as aggressive and proactive a manner as possible and put in place layers of security that, while they may not be able to completely prevent breaches such as this one, at least do something to reduce the likelihood and reassure their customers.