Apple Cyber Flaw Allows Silent iPhone Hack Through iMessage
Security researchers say Israel’s NSO Group has been exploiting the vulnerability since February. Apple Cyber Flaw Allows Silent iPhone Hack Through iMessage
An Israeli cybersecurity firm has been exploiting a significant Apple Inc. software vulnerability since February to silently infect iPhones using iMessage, the company’s messaging software, according to the research group that discovered the issue.
On Monday, Apple supplied a critical security update fixing the flaw, but the vulnerability had been used in attacks by Israel’s NSO Group, according to Citizen Lab. Citizen Lab is an academic research group that investigates cyberattacks on journalists and dissidents.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Apple said in a statement. “We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”
The intrusion is particularly worrisome because it is what researchers at Citizen Lab refer to as a “zero click” attack, meaning, unlike most other iPhone hacks, the user doesn’t need to click on a link or open a document to be infected. “Anyone with iMessage on their phone could be silently infected,” said John Scott-Railton, a researcher with Citizen Lab. “They would see nothing.”
“People should update their devices immediately,” Mr. Scott-Railton said.
Citizen Lab linked the flaw to NSO Group, which sells hacking tools used by governments world-wide to conduct surveillance.
Asked to comment on a report that Citizen Lab published on the issue Monday, an NSO spokesman said, “NSO Group will continue to provide intelligence and law enforcement agencies around the world with lifesaving technologies to fight terror and crime.”
The software used in the iPhone attacks “is rare and probably expensive thing and it would have represented a substantial amount of development work,” Mr. Scott-Railton said.
Apple said in its statement: “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.” This means “they are not a threat to the overwhelming majority of our users,” the company said.
Citizen Lab began pulling on the threads that led to the bug’s discovery in March, when they found that a phone belonging to an anonymous Saudi activist had been infected by the Pegasus software, which was built by NSO Group to monitor the phone’s activities.
At the time, it was unclear how Pegasus had been installed, but last week, while examining a backup of the phone, Citizen Lab discovered a copy of the attack code that had been used to infect it, by exploiting a bug in Apple’s image processing software, Mr. Scott-Railton said.
“What showed up there was a bunch of files labeled as GIFs but they weren’t actually GIFs,” Mr. Scott-Railton said. “They contained this exploit that exploited Apple’s image processing.” GIF is an image file-formatting standard.
Examining the files, Citizen Lab discovered attack code that it linked to NSO Group, based on the naming conventions and behavior of the software it installed, Citizen Lab said.
In addition to the iOS operating system used by the iPhone, the attack affects iMessage on Apple’s Macintosh computers, the iPad, and Apple Watches, Citizen Lab said.
While Apple has invested heavily in bolstering the iPhone’s reputation for privacy and security, that reputation has come under strain this year. Earlier this month, the company paused the rollout of a system it had developed for detecting child pornography on its phones, after critics said it could undercut the iPhone’s privacy.
Apple has also had to fix an unusually large number of iPhone bugs this year, many of which have been exploited by cyberattackers, according to Katie Moussouris, chief executive of Luta Security, a firm that advises companies on how to work with outside security researchers. “Zero-click is both rare and especially dangerous,” she said, “though I’m more concerned with how many new unpatched iOS security holes have been exploited this year.”