Apple has released an urgent update to patch a critical vulnerability that has been exploited by the notorious Pegasus mobile spyware.
The vulnerability, CVE-2021-30860, was discovered by researchers at University of Toronto’s Citizen Lab when analyzing the iPhone of an anonymous Saudi activist infected with NSO Group’s Pegasus spyware. They found a zero-day zero-click exploit against iMessage, which the team dubbed “FORCEDENTRY.” This exploit infected the device by targeting Apple’s rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.
Citizen Lab made a “high-confidence attribution” to NSO Group for the exploit, which it believes has been in use since at least February 2021. It stated: “Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating “despotism-as-a-service” for unaccountable government security agencies. Regulation of this growing, highly profitable and harmful marketplace is desperately needed.”
After the lab passed details of their findings to Apple, the tech giant quickly released the patch. Apple customers are now being urged to immediately update their devices with the latest update, with the vulnerability affecting all iPhones with iOS versions prior to 14.8, all Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2.
In a statement, Ivan Krstić, head of Apple security engineering and architecture, said: "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.” He also reassured customers that the vulnerability is "not a threat to the overwhelming majority of our users."
Israeli firm NSO Group has regularly been at the center of numerous controversies surrounding the unethical use of Pegasus by authoritarian governments. Facebook is undertaking legal action against the company for allegedly exploiting a vulnerability in WhatsApp to enable its clients to spy on over 1400 users globally, and the spyware was also found on the mobile phone of murdered Saudi journalist Jamal Khashoggi.
CNN quoted a new NSO Group statement, which didn’t directly address the allegations. It stated: "NSO Group will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime."
Commenting on the story, Sam Curry, chief security officer at Cybereason, said: "Monday’s emergency software updates for a critical vulnerability discovered in iPhones, Apple Watches and Macs, shouldn't be cause for panic. Yes, this newest Pegasus spyware delivery mechanism is novel, invasive and can easily infect billions of Apple devices, but stay calm and simply get control of your device and download the software updates available from Apple. Do that and move on. Follow Apple's instructions if you think you are infected and consult your IT department at work, school, etc. Failing that, Apple’s Genius Bar will be able to help. With nearly 2 billion iPhones active around the world, 100 million Apple Watches being used and more than 100 million Macs, security can’t be a luxury for Apple and it’s not, it’s a responsibility they take seriously.”
Jesse Rothstein, CTO and co-founder of ExtraHop, added: “We all carry highly sophisticated personal devices which have profound implications to personal privacy. There are many examples of this such as app data collection — which Apple recently moved to curb with its App Tracking Transparency framework.
“Any sufficiently sophisticated system has security vulnerabilities that can be exploited, and mobile phones are no exception.
“Pegasus is an example of how unknown vulnerabilities can be exploited to access highly sensitive personal information. The NSO group is an example of how governments can essentially outsource or purchase weaponized cyber capabilities. This is no different than arms dealing in my view — it’s just not regulated that way. Companies are always going to have to patch their vulnerabilities, but regulations will help prevent some of these cyber weapons from being misused or falling into the wrong hands.”