Apple patches security flaw that leaves users vulnerable to spyware


Cyber Security updates

Apple has issued an emergency software update after cyber security researchers said they had uncovered a new vulnerability allowing hackers to deploy Israeli company NSO Group’s spyware tool through iMessage. 

The iPhone maker issued a patch on Monday to fix the flaw, which was discovered by researchers at the University of Toronto’s Citizen Lab after they analysed the iPhone of a Saudi activist that had been infected with spyware developed by NSO. 

According to Citizen Lab, the vulnerability allowed hackers to access a target’s iPhone, Mac computer or Apple Watch via iMessage, without the user needing to click on a malicious link. The exploit, dubbed “FORCEDENTRY” by the researchers, is known as a “zero-click” attack. 

The report added that military spyware manufacturer NSO had “used the vulnerability to remotely exploit and infect the latest Apple devices” with its spyware, known as Pegasus, “since at least February 2021”. 

NSO develops and sells its exploits to government agencies as off the shelf software. It was founded in 2010 and rose to prominence in 2019 when it was reported that the group could “drop its payload” of malware on to unsuspecting iPhones and Android phones by ringing a user over WhatsApp.

NSO’s Pegasus was in July linked to phones belonging to dozens of journalists, human rights activists and politicians, according to an investigation by a consortium of newspapers. Civil rights activists say the software — which requires an Israeli government licence for export because it is viewed as a weapon — can be used for unlawful surveillance, not just by certain governments to target terrorists and criminals.

In a statement on Monday, the company said: “NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime.”

Citizen Lab said: “Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies . . . are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.”

Apple said that it was issuing the patch because “processing a maliciously crafted PDF may lead to arbitrary code execution”. It said it was “aware of a report that this issue may have been actively exploited”.

The revelation could further dent the image of iOS as a more secure operating system than Android. Apple has long emphasised that no system can be 100 per cent secure from hackers. 

Citizen Lab said that chat apps in particular had become “a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them”.

Daily newsletter

#techFT brings you news, comment and analysis on the big companies, technologies and issues shaping this fastest moving of sectors from specialists based around the world. Click here to get #techFT in your inbox.


Source link