Advertisement

Apple releases security update; researchers uncover new exploit

New iPhone 12 Pro Max smartphones were among the devices Apple on Monday released a security update for after researchers discovered a vulnerability in its software. File Photo by Keizo Mori/UPI
New iPhone 12 Pro Max smartphones were among the devices Apple on Monday released a security update for after researchers discovered a vulnerability in its software. File Photo by Keizo Mori/UPI | License Photo

Sept. 14 (UPI) -- U.S. technology giant Apple has issued a series of security updates after independent researchers uncovered a vulnerability in its messaging service that allowed for spyware developed by an Israeli company to infect its devices.

Apple issued the update for its iPhone, iWatch and other computer devices on Monday, the same day The Citizen Lab revealed the flaw.

Advertisement

"Apple is aware of a report that this issue may have been actively exploited," the California-based company said in a statement.

The Citizen Lab, which is operated from the University of Toronto's Munk School of Global Affairs and Public Policy, named the exploit FORCEDENTRY, and said it has been active since at least February.

The watchdog said it discovered the vulnerability while analyzing the iPhone of an unnamed Saudi activist whose device had been infected with Israeli NSO Group's Pegasus spyware.

Advertisement

"We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware," The Citizen Lab said in a statement.

It described the hack as a zero-day, zero-click exploit, meaning spyware can infect a device without the user clicking on a link (zero-click) by taking advantage of an unknown vulnerability in the software (zero-day).

"This spyware can do everything an iPhone user can do on their device and more," John Scott-Railton, a senior researcher at The Citizen Lab, told The New York Times.

The spyware, once having infected a device, can access its camera, microphone, messages, emails, calls and texts and send them back to NSO's clients, The Times reported.

In an emailed statement to The Washington Post, Ivan Krstic, head of Apple security engineering and architecture, confirmed that the exploit had been first identified by The Citizen Lab and thanked them for doing so.

"After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix," Krstic said. "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals."

Advertisement

The revelation comes a few short months after The Pegasus Project, a collaboration of more than 80 journalists from 17 media organizations coordinated by Forbidden Stories, said in July that NSO Group's spyware has been used to target dozens of world leaders, politicians, human rights activists and journalists.

Amnesty International, working with Forbidden Stories, alleged that at least 180 journalists in 20 countries were targeted with the spyware between 2016 and June.

NSO group has denied the allegations.

"We would like to emphasize that NSO sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts," it said in a statement in July.

On Monday, The Citizen Lab accused NSO Group of selling its products to governments that use it "recklessly" and in violation of international human rights law.

"Our latest discovery of yet another Apple zero day employed as part of NSO Group's arsenal further illustrates that companies like NSO Group are facilitating 'despotism-as-a-service' for unaccountable government security agencies," it said. "Regulation of this growing, highly profitable and harmful marketplace is desperately needed."

Latest Headlines