Los Angeles Times

Apple patches flaw allowing ‘zero-click’ infections

- By Frank Bajak Bajak writes for the Associated Press.

Apple released an emergency software patch to fix a security vulnerabil­ity that researcher­s said could allow hackers to directly infect iPhones and other Apple devices without any user action.

The researcher­s at the University of Toronto’s Citizen Lab said the flaw allowed spyware from the world’s most infamous hacker-for-hire firm, NSO Group, to directly infect the iPhone of a Saudi activist.

The flaw affected all Apple’s operating systems, the researcher­s said.

It was the first time a socalled “zero-click” exploit had been caught and analyzed, said the researcher­s, who found the malicious code Sept. 7 and immediatel­y alerted Apple. They said they had high confidence the Israeli company NSO Group was behind the attack, adding that the targeted activist asked to remain anonymous.

“We’re not necessaril­y attributin­g this attack to the Saudi government,” researcher Bill Marczak said.

Although Citizen Lab previously found evidence of zero-click exploits being used to hack into the phones of Al Jazeera journalist­s and other targets, “this is the first one where the exploit has been captured so we can find out how it works,” Marczak said.

Although security experts say that the average iPhone, iPad and Mac user generally need not worry — such attacks tend to be highly targeted — the discovery still alarmed security profession­als.

Malicious image files were transmitte­d to the activist’s phone via the iMessage instant-messaging app before it was hacked with NSO’s Pegasus spyware, which opens a phone to eavesdropp­ing and remote data theft, Marczak said. It was discovered during a second examinatio­n of the phone, which forensics showed had been infected in March. He said the malicious file causes devices to crash.

NSO Group did not immediatel­y respond to an email seeking comment.

In a blog post, Apple said it was issuing a security update for iPhones and iPads because a “maliciousl­y crafted” PDF file could lead to them being hacked. It said it was aware that the issue may have been exploited and cited Citizen Lab. Apple didn’t immediatel­y respond to questions regarding whether this was the first time it had patched a zeroclick.

Citizen Lab called the iMessage exploit ForedEntry and said it was effective against Apple iOS, MacOS and WatchOS devices.

Researcher John ScottRailt­on said the news highlights the importance of securing popular messaging apps against such attacks. “Chat apps are increasing­ly becoming a major way that nation-states and mercenary hackers are gaining access to phones,” he said. “And it’s why it’s so important that companies focus on making sure that they are as locked down as possible.”

The researcher­s said it also exposes — again — that NSO’s business model involves selling spyware to government­s that will abuse it, not just to law enforcemen­t officials chasing cybercrimi­nals and terrorists, as NSO claims.

“If Pegasus was only being used against criminals and terrorists, we never would have found this stuff,” Marczak said.

Facebook’s WhatsApp was also alleged to have been targeted by an NSO zeroclick exploit in October 2019. Facebook sued NSO in U.S. federal court, accusing it of targeting some 1,400 users of the encrypted messaging service with spyware.

In July, a global media consortium published a damning report on how clients of NSO Group have been spying for years on journalist­s, human rights activists, political dissidents and people close to them, with the hacker-for-hire group directly involved in the targeting.

Amnesty Internatio­nal said it confirmed 37 successful Pegasus infections based on a leaked targeting list whose origin was not disclosed.

One involved the fiancee of Washington Post journalist Jamal Khashoggi just four days after he was killed in the Saudi Consulate in Istanbul in 2018. The CIA attributed the murder to the Saudi government.

The recent revelation­s also prompted calls for an investigat­ion into whether Hungary’s right-wing government used Pegasus to secretly monitor critical journalist­s, lawyers and business figures. India’s parliament also erupted in protests as opposition lawmakers accused Prime Minister Narendra Modi’s government of using NSO Group’s product to spy on political opponents and others.

France is also trying to get to the bottom of allegation­s that President Emmanuel Macron and members of his government may have been targeted in 2019 by an unidentifi­ed Moroccan security service using Pegasus.

Morocco, a key French ally, denied those reports and is taking legal action to counter allegation­s implicatin­g the North African kingdom in the spyware scandal.

 ?? Christoph Dernbach Associated Press ?? THE FLAW Apple fixed could allow iPhones and other devices to be infected without any user action.
Christoph Dernbach Associated Press THE FLAW Apple fixed could allow iPhones and other devices to be infected without any user action.

Newspapers in English

Newspapers from United States