Apple on monday advised all users to update their devices after researchers warned that Israeli spyware company NSO Group has developed a way to take control of almost any Apple computer, watch, or iPhones.
“It’s absolutely terrifying,” said John Scott-Railton, senior researcher at Citizen Lab, who recently discovered the software exploit and told Apple about it. The group published a report on this Monday.
The malware takes control of an Apple device by first sending a message through iMessage, the company’s default messaging app, and then hacking a flaw in how Apple processes images. This is known in the cybersecurity industry as a “zero click” exploit – a particularly dangerous and pernicious flaw that does not require a victim to click a link or download a file to take over.
The people whose devices have been exploited are extremely unlikely to realize they have been hacked, Scott-Railton said.
“User sees crickets while their iPhone is operated silently,” he said. “Someone sends you a GIF that isn’t, and then you’re in trouble.” That’s it. You don’t see anything.
As is often the case with the NSO Group hack, the newly discovered exploit is both technologically remarkable but likely only used on people specifically targeted by governments using the company’s software.
NSO Group creates surveillance and hacking software that it rents to governments to spy on individuals’ computers and smartphones. For years, he has insisted that his main product, Pegasus, is a vital tool in stopping terrorists and other criminals, and that he is simply leasing his technology to legitimate governments in accordance with their own laws. This also insisted it cannot be used to target Americans’ phones, and it revokes the use of countries that abuse its products.
But Citizen Lab, a cybersecurity research center at the University of Toronto, has repeatedly found examples of Pegasus software being used against journalists in Mexico who have investigated cartels and Saudi dissidents, including associates of the Washington Post columnist killed Jamal Khashoggi.
In an emailed statement, an NSO spokesperson said that “NSO Group will continue to provide intelligence and law enforcement agencies around the world with lifesaving technologies to fight terrorism and crime.” .
A spokesperson for the NSO group did not immediately return a request for comment.
While Pegasus isn’t known to monitor large numbers of people, governments often use it to target individuals who don’t appear to be violent criminals, said Bill Marczak, senior researcher at Citizen Lab. Citizen Lab could only identify this exploit because it was examining the phone of a Saudi dissident who has so far not given permission to share his name with the public, he said.
“In this case, it is quite clear that this person was targeted for being an activist and not for some other reason,” Marczak noted.
Apple has not released technical notes with a new software update released on Monday that fixes the flaws identified by Citizen Lab. The company noted that “This issue may have been actively exploited.”
In an emailed statement, Apple’s head of engineering and security architecture, Ivan Krstić, thanked Citizen Lab for alerting the company to the exploit.
“Attacks like the ones described are very sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals,” Krstić said.
Updating to the latest version of iOS or Mac OS will prevent users from being newly infected with this particular exploit, Scott-Railton said.
“This will prevent you from getting infected with this exploit in the future,” he said. “But what we do know is that NSO is always trying to find other ways to infect people’s phones, and they may look to something else.”