Apple released an emergency software patch on Monday (Sept. 13) after researchers at University of Toronto’s Citizen Lab uncovered a security flaw that could allow hackers to secretly install spyware on Apple devices through iMessage without users’ knowledge.
Researchers found that the advanced form of spyware from Israeli security firm NSO Group called Pegasus can eavesdrop or steal data once it is installed on an Apple device, prompting an urgent need to protect close to 2 billion Apple products in use worldwide that have been exposed to the spyware since at least March.
The Apple announcement came after the discovery of an NSO spyware infection on a Saudi activist’s iPhone by the cybersecurity watchdog organization.
According to Citizen Lab, the “zero-click exploit” is a highly sought-after tool, allowing governments, law enforcement agencies, mercenaries and criminals to secretly hack into someone’s device without the victim’s knowledge. “This spyware can do everything an iPhone user can do on their device and more,” said John Scott-Railton, a senior researcher at Citizen Lab.
In a statement to USA Today, Ivan Krstić, head of Apple Security Engineering and Architecture, said Apple immediately “developed and deployed a fix in iOS 14.8 to protect our users,” after identifying the vulnerability used by the exploit for iMessage.
He added that “attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.”
The Apple security hole is a sign that the cybersecurity arms race is intensifying, as activists and tech companies like Apple work to rapidly fix vulnerabilities that enable government surveillance of citizens.
In a recent talk with PYMNTS, Richard Clarke, former national coordinator for security and counterterrorism, said there is an increasing sophistication of cyber threats, which once required criminals to operate in person.
“When I was a kid, criminals robbed banks and had guns. Now they’re not even in the same country. They sit in Eastern Europe on a computer and they make large sums of money,” said Clarke. And as he added, the threat and scope of cybercrime have only gotten worse.
Last month, a T-Mobile hacker stole data on 50 million customers, characterizing the company’s security as “awful.” The 21-year-old Turkey-based American, John Binns, told The Wall Street Journal that he used an unprotected router to access the records, making this intrusion the third major customer data leak that T-Mobile has disclosed in the past two years.