Apple on Monday released emergency software updates for a critical vulnerability in its products after security researchers discovered a flaw that allows Israeli group NSO’s highly invasive spyware to infect anyone’s iPhone. who, Apple Watch or Mac without even a click.
Apple’s security team has been working around the clock to develop a fix since Tuesday, after researchers at Citizen Lab, a cybersecurity watchdog organization at the University of Toronto, discovered that Apple’s iPhone a Saudi activist had been infected with spyware from NSO Group.
The spyware, called Pegasus, used a new method to invisibly infect an Apple device without the victim’s knowledge for six months. Known as the “zero click remote exploit”, it is considered the holy grail of surveillance because it allows governments, mercenaries and criminals to secretly enter a victim’s device without notifying them.
Using the no-click method of infection, Pegasus can turn on a user’s camera and microphone, record their messages, texts, emails, calls – even those sent through encrypted messaging and phone apps like Signal – and send them back to NSO clients in governments around the world.
“This spyware can do everything an iPhone user can do on their device and more,” said John Scott-Railton, principal investigator at Citizen Lab, who has partnered with Bill Marczak, principal investigator at Citizen Lab. Citizen Lab, on discovery.
In the past, victims learned that their devices were infected with spyware only after receiving a suspicious link sent by text message to their phone or email. But NSO Group’s zero-click capability doesn’t give the victim such a prompt and allows full access to a person’s digital life. These capabilities can fetch millions of dollars in the underground hacking tool market.
An Apple spokesperson confirmed Citizen Lab’s assessment and said the company plans to add spyware barriers to its upcoming iOS 15 software update, due later this year.
NSO Group did not immediately respond to inquiries on Monday.
NSO Group has long been the subject of controversy. The company said it only sells its spyware to governments that adhere to strict human rights standards. But over the past six years, its Pegasus spyware has appeared on the phones of activists, dissidents, lawyers, doctors, nutritionists and even children in countries like Saudi Arabia, the Arab Emirates. United and Mexico.
In July, NSO Group came under intense media scrutiny after Amnesty International, the human rights watchdog, and Forbidden Stories, a group focused on freedom of expression, partnered with a consortium of media organizations on “The Pegasus Project” to publish a According to them, the list contained some 50,000 people – including hundreds of journalists, government leaders, dissidents and activists – chosen as targets by clients by NSO.
The consortium did not disclose how it got the list and it was not clear whether the list was ambitious or whether people were actually targeted by NSO’s spyware.
Among those listed were Azam Ahmed, a former New York Times bureau chief in Mexico who has covered extensively corruption, violence and surveillance in Latin America, including on NSO itself; and Ben Hubbard, Times Bureau chief in Beirut, who has investigated rights violations and corruption in Saudi Arabia and has written a recent biography of Saudi Crown Prince Mohammed bin Salman.
Shalev Hulio, co-founder of NSO Group, vehemently denied the list’s accuracy, telling The Times: “It’s like opening the blank pages, picking 50,000 issues and drawing conclusions.
NSO clients previously infected their targets using text messages that tricked victims into clicking a link. These links allowed reporters to investigate the possible presence of NSO spyware. But the new zero-click method makes it much more difficult for journalists and cybersecurity researchers to find spyware.
“The commercial spyware industry is darkening,” said Mr. Marczak, a Citizen Lab researcher who helped uncover the exploit on the phone of a Saudi activist.
Mr. Scott-Railton urged Apple customers to run their software updates.
“Do you own an Apple product? Update it today, ”he said.