Apple releases security update on Pegasus hack
Cyber surveillance company NSO Group has used new methods to deploy its military grade spyware Pegasus by leveraging previously unknown flaws in Apple’s software, prompting the company to issue a security update to millions of its customers late on Monday.
The new version of the spyware was found by Canadian cyber security researchers at Citizen Labs, who discovered Pegasus implanted in the phone of a Saudi activist. The software flaw, like the others NSO is reported to have often leveraged, was particularly worrying since it allowed for the spyware to be inserted silently without needing to fool the victim into opening suspicious links or files.
Apple confirmed a “sophisticated” attack had taken place exploiting the flaw, although it did not name NSO Group or Pegasus. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data,” said Ivan Krstić, head of Apple Security Engineering and Architecture, in a statement issued by the company.
“We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly,” the statement also said.
NSO Group has maintained that it serves only to vetted government clients for law enforcement against criminals and terrorists. “But here we are... again: their exploits got discovered by us because they were used against an activist,” said John Scott-Railton, senior researcher at Citizen Labs, in a tweet on Tuesday.
In a statement to Reuters, NSO did not confirm or deny that it was behind the technique, saying only that it would “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”
Companies such as Apple are locked in a cat-and-mouse chase with companies such as NSO Group to fix flaws in their software before they are exploited for cyber surveillance and by cyber criminals. In 2019, Facebook sued NSO Group for a similar abuse of its systems when Pegasus was delivered to victims’ phones – including over a dozen in India – using flaws in WhatsApp.
Since then, Microsoft, Google, Cisco, and VMWare have supported Facebook’s lawsuit against NSO Group.
India’s Supreme Court too is expected to decide this week if and how it wants the Union government to answer questions on whether the spyware was used against Indian citizens, including current and former ministers, opposition leaders, judges, journalists and activists. The government has said it is not in a position to share these details because of national security implications.
Apple and security researchers urged everyone using an iPhone, Apple Watch or a Mac to immediately install the latest software update.
Citizen Lab, which named the latest method of hacking phones FORCEDENTRY, discovered it while analysing the phone of a Saudi activist in March. The hack was carried out by using code flaws in how Apple devices render images and PDFs, it said.
In a blog post detailing the discovery, the researchers said they linked the new attack to NSO Group because of a forensic artifact that matched findings when Pegasus was found on the devices of past victims.
Citizen Labs said it informed and shared the forensic evidence with Apple on September 7, making it one of the quickest responses to such a major security flaw – reinforcing its criticality.
“Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating “despotism-as-a-service” for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed,” Citizen Labs said.