Apple has released an urgent update that patches a security exploit on its messaging app for iPhones. Researchers that discovered the security flaw said it was recently being used to inject spyware to monitor the activities of an unnamed Saudi activist.
Citizen Lab, the company that discovered the exploit, said Monday that hackers had used a malware program developed by Israel-based NSO Group, called Pegasus, to gain access to a device owned by the activist. Researchers said hackers were able to access the activist's device even without him clicking on any malicious links or files.
Apple had credited Citizen Lab for finding the exploit, which was determined to be a "zero-day" vulnerability. The term means that the bug still exists and hasn't been completely patched yet.
Apple said it has already begun patching the exploit on all devices, including iPhones, iPads, and Macs, through urgent software updates. The updates for the various devices containing the patch are Apple Watch via iOS 14.8, iPadOS 14.8, macOS 11.6, and watchOS 7.6.2. Apple said future updates will include additional security protections.
"Apple is aware of a report that this issue may have been actively exploited," the company said on its website.
UPDATE YOUR APPLE DEVICES NOW
We caught a zero-click, zero day iMessage exploit used by NSO Group's #Pegasus spyware.
Target? Saudi activist.
We reported the #FORCEDENTRY exploit to @Apple, which just pushed an emergency update.
THREAD 1/https://t.co/dVuC1r1yUs pic.twitter.com/KHwtsWRcpA — John Scott-Railton (@jsrailton) September 13, 2021
The head of Apple Security Engineering and Architecture, Ivan Krstic, said these types of hacks are highly sophisticated and cost millions of dollars to develop. He added that hackers often have a very short window to take advantage of these exploits and specific individuals are often targeted. Krstic assured the public that the vulnerability is "not a threat to the overwhelming majority of our users."
NSO Group declined to comment on the allegations, stating that it only sells its software to vetted customers for law enforcement and counterterrorism purposes.
Citizen Lab claims that it had discovered multiple instances of NSO Group's software being used to spy on dissidents and journalists. Citizen Lab alleged that the company's software was even used to spy on the mobile phone of the wife of murdered Mexican journalist in 2019.
During the same year, NSO Group was sued by Facebook for its involvement in the hacking of 1,400 mobile devices using its WhatsApp messaging app.