A never-before-seen “zero-click” exploit for Apple iPhones has been discovered by an internet security watchdog group, prompting the massive communications company to issue an emergency update to fix the vulnerability.

The security group, Citizen Lab, said the Israeli cybersecurity organization NSO Group has been exploiting the software vulnerability since February.

Apple said it fixed the exploit in Monday’s software update, confirming the finding.

“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Ivan Krstić, head of Apple Security Engineering and Architecture, said in a statement. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.”

“While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data,” he added.

Apple urged users to update their software to close the exploit. The vulnerability affects all versions of Apple’s iOS, OSX, and watchOS, except for those updated.

Citizen Lab said it discovered the vulnerability on the iPhone of an unnamed Saudi activist, noting the phone had been infected with spyware in February. In a first, targets didn’t even have to click on anything for the attack to work. Researchers also said that it didn’t appear as if there was any discernible indication that a hack had occurred.

“The vulnerability lies in how iMessage automatically renders images. IMessage has been repeatedly targeted by NSO and other cyber arms dealers, prompting Apple to update its architecture. But that upgrade has not fully protected the system,” CNBC reported.

“Popular chat apps are at risk of becoming the soft underbelly of device security. Securing them should be top priority,” said Citizen Lab researcher John Scott-Railton. “They are ubiquitous, which makes them really attractive, so they are an increasingly common target for attackers. They need to be a major priority for security.”

Hacks and exploits have exploded of late. “A record number of previously unknown attack methods, which can be sold for $1 million or more, have been revealed this year,” Reuters reported. “The attacks are labeled ‘zero-day because software companies had zero days’ notice of the problem.”

“Along with a surge in ransomware attacks against critical infrastructure, the explosion in such attacks has stoked a new focus on cybersecurity in the White House as well as renewed calls for regulation and international agreements to rein in malicious hacking. The FBI has been investigating NSO, and Israel has set up a senior inter-ministerial team to assess allegations that its spyware has been abused on a global scale. Although NSO has said it vets the governments it sells to, its Pegasus spyware has been found on the phones of activists, journalists and opposition politicians in countries with poor human rights records,” Reuters added.

No comments:

Post a Comment