Apple users are being asked to install a security update after researchers found a flaw that hackers could use to access devices without any user action.
The researchers from Citizen Lab at the University of Toronto said in a report on Monday that a “zero-click exploit” was found in iMessage on a Saudi activist’s iPhone. Apple released a software patch on Monday in response to the exploit.
The researchers said the previously unknown vulnerability affected all major Apple devices: iPhones, Macs and Apple Watches.
So who is at risk, and how does it work?
What is zero-click?
John Scott-Railton, a senior researcher with Citizen Lab, told Global News that “zero-click” is a hacking method designed to infiltrate a user’s device without them knowing.
“We’re all familiar with the idea that we’re going to get suspicious messages, malware, and phishing, but that’s something we’re educated to be able to spot and not fall for,” he said.
“Zero-click means that somebody you probably don’t know … can remotely target and infect your device with no interaction … you see nothing, you hear nothing and suddenly your device becomes a digital spy in your pocket.”
In other words, unlike the phony texts from delivery services and tax agencies that ask to click a link to resolve some unclear issue, zero-click is invisible.
How was it found?
Scott-Railton said researchers discovered the hack last week while examining the Saudi activist’s iPhone, which was infected with Pegasus spyware, a surveillance program run by Israeli tech company NSO Group.
As they were looking at the phone, they found malicious image files were sent through iMessage before it was hacked with Pegasus spyware. Infected phones would then crash.
It was discovered during a second examination, which showed the phone had been infected in March.
“Those files, as it turned out, were the actual code that would result in what’s called a zero-click, zero-day exploitation. This is the actual code that would remotely infect and take over the phone,” Scott-Railton said.
He described it as “a big find.”
“What’s interesting about this is that literally until the patch went up, everyone who had an Apple device could be potentially hacked using this vulnerability.”
After being alerted by Citizen Lab, Apple announced on Monday it fixed the flaw in a software update.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” said Ivan Krstić, head of Apple Security Engineering and Architecture, in a statement.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.”
Who is at risk?
At this point, it’s unclear if anyone else has been targeted, but Citizen Lab researchers said in their report they believe the hacking method has been in use since February. They attribute the attack to NSO Group.
NSO wouldn’t confirm to Reuters if it was behind the hack, but said in a statement it would “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”
Reuters further reported that the FBI has been investigating NSO, and Israel has set up a senior inter-ministerial team to assess allegations that its spyware has been abused on a global scale.
Even though NSO said it vets the governments it sells to, its Pegasus spyware has been discovered on the phones of activists, journalists and opposition politicians in countries with poor human rights records.
Scott-Railton said hacks similar to this will happen again, and people should care about what this discovery shows.
“There is an industry of companies that is busy finding and stockpiling ways to silently hack their phones, and then selling them to people who can pay for them rather than helping manufacturers make their phones more secure,” he said.
“The second reason why people need to care is because the long-term business model of a lot of the companies like NSO Group … is to sell to local authorities, local police departments.”
Scott-Railton added most governments in the world, including Canada, “don’t have robust rules about what police can and can’t do with this kind of invasive technology, and yet technology may arrive even before the rules are put in place.”
What happens now?
With Apple pushing out a security update, Scott-Railton encourages all users to install it as soon as possible.
In a tweet Monday, he wrote that companies need to bolster the security around instant messaging apps.
“Popular chat apps are the soft underbelly of device security,” he said. “They are on every device, and some have a needlessly large attack surface.”
Scott-Railton added that governments, including Canada’s, need to target businesses that sell “bad things to bad people.”
“But more than that, they need to take seriously the targeting of Canadians, permanent residents and people on Canadian soil,” he said.
“It’s really important that the focus be on the technology and the companies that are pushing the stuff — it can’t just be the responsibility of individuals to protect themselves.”
— with files from Reuters and The Associated Press.