If you own an Apple device, you may have noticed an unscheduled update notification today. You may want to perform those updates at your earliest convenience. The patches are for iOS, watchOS, and macOS and fix a major security flaw that has been actively exploited since February to install Pegasus spyware on devices without user intervention.
On Monday, Apple pushed out emergency updates for iOS, watchOS, and macOS. The security patches were issued in response to a massive exploit that allowed the operating systems to be infected with spyware without interaction from the user.
Security researchers at the University of Toronto’s Citizen Lab disclosed the vulnerability dubbed “ForcedEntry” to Apple last Tuesday. The group discovered the security hole (CVE-2021-30860) while analyzing a Saudi activist’s iPhone.
The “zero-click exploit” leverages an iMessages weakness that calls on Apple’s image rendering library and can infect the device without any user intervention. The researchers found that the vulnerability is inherent in all three of Apple’s operating systems—iOS, watchOS, and macOS.
The spyware used is the controversial Pegasus application developed by NSO Group in Israel. Citizen Lab says it believes the exploit has been in use since February but has no idea how many devices could be infected with the spyware.
Pegasus is a particularly insidious software in that it can do everything from turning on the camera and microphone to accessing device settings.
“This spyware can do everything an iPhone user can do on their device and more,” John Scott-Railton, a senior researcher at Citizen Lab, told The New York Times. Co-researcher Bill Marczak added, “the commercial spyware industry is going darker.”
The NSO Group maintains that it only sells its spyware to government law enforcement agencies per regional laws and regulations. However, the software has turned up on the devices of non-criminal individuals, including diplomats, activists, and journalists. Additionally, Germany’s state police agency came under harsh criticism last week for secretly purchasing and employing Pegasus to spy on terrorists and organized crime members.
Since learning of the exploit last Tuesday, Apple engineers have been scrambling for a fix and issued one today. Scott-Railton urges owners of any Apple device to update the operating system as soon as possible.
If you are interested in the full details of the vulnerability, Citizen Lab posted a write-up on its website. Apple also has patch notes listed on its support pages.