Apple advised all users on Monday to update their devices after researchers warned that the Israeli spyware company NSO Group had developed a method to gain control of nearly any Apple computer, watch, or iPhone.
“It’s absolutely terrifying,” said John Scott-Railton, a senior researcher at The Citizen Lab, which discovered and notified Apple about the software exploit. On Monday, the group issued a report about it.
The malicious software takes control of an Apple device by first sending a message via iMessage, the company’s default messaging app, and then exploiting a flaw in Apple’s image processing. It is a “zero-click” exploit, which is a particularly dangerous and pernicious flaw that does not require a victim to click a link or download a file to take over.
People who have had their devices hacked are extremely unlikely to realize it, according to Scott-Railton.
“The user hears crickets while their iPhone is being silently exploited,” he explained.
“Someone sends you a GIF that isn’t a GIF, and you’re in big trouble. That is all there is to it. You can’t see anything.”
As is frequently the case with NSO Group hacking, the newly discovered exploit is both technologically remarkable and is likely to be used only on people specifically targeted by governments who use the company’s software.
NSO Group develops surveillance and hacking software that it rents to governments in order to spy on people’s computers and smartphones. For years, it has insisted that its primary product, Pegasus, is a critical tool in the fight against terrorists and other criminals, and that it merely leases its technology to legitimate governments in accordance with their own laws. It has also stated that it cannot be used to target Americans’ phones and that it revokes licenses from countries that abuse its products.
However, Citizen Lab, a cybersecurity research center at the University of Toronto, has repeatedly discovered instances of Pegasus software being used against Mexican journalists investigating drug cartels and Saudi dissidents.
An NSO spokesperson stated in an emailed statement, “NSO Group will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”
While Pegasus is not known for mass surveillance, governments frequently use it to target individuals who do not appear to be violent criminals, according to Bill Marczak, a Citizen Lab senior research fellow. Citizen Lab was only able to identify this exploit because it was examining the phone of a Saudi dissident who, according to him, has not given permission to share his name with the public. “In this case, it’s pretty clear that this person was targeted solely for being an activist,” Marczak said.
Apple released technical notes along with a new software update on Monday that addressed flaws discovered by Citizen Lab. According to the company, “this issue may have been actively exploited.”
Ivan Krsti, Apple’s head of Security Engineering and Architecture, thanked Citizen Lab for alerting the company to the exploit in an emailed statement.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, frequently have a limited shelf life, and are used to target specific individuals,” Krsti explained. Updating to the most recent version of iOS or Mac OS will prevent users from becoming infected with this specific exploit, according to Scott-Railton.
“This will keep you from being infected with this exploit in the future,” he explained. “However, we know that NSO is always looking for new ways to infect people’s phones, and they may turn to something else.”