What you need to know
- A flaw in the way iOS 14.6 handles iMessages saw journalists, activists, and others have spyware installed on their devices.
- This is despite iOS 14 protections that were supposed to prevent this from happening.
Journalists, activists, and other groups around the world have seen their iPhones infected with spyware without their knowledge — and without them having to tap a thing to initiate the download. The spyware, Pegasus by NSO Group, is available commercially.
According to a report by multiple news outlets as well as Amnesty International's Security Lab, commercial hacking spyware Pegasus has been found to infect thousands of devices. The report is based on a list of 50,000 phone numbers that were thought to be of interest to clients of NSO. When security experts inspected some of the devices attached to those numbers, they found infections galore.
The analysis Amnesty International conducted of several devices reveal traces of attacks similar to those we observed in 2019. These attacks have been observed as recently as July 2021. Amnesty International believes Pegasus is currently being delivered through zero-click exploits which remain functional through the latest available version of iOS at the time of writing (July 2021).
For its part, NSO says that none of this is anything to do with the company — pointing out that it doesn't have access to anything its customers collect via its software. As if that matters one jot.
NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers' targets. NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as identity of customers of which we have shut down systems.
The fact that Pegasus can be installed without the victim doing anything is of particular concern, as is the fact it still seems to be able to worm its way onto devices running iOS 14.6, as noted by MacRumors.
It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain't solving.It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain't solving.— Bill Marczak (@billmarczak) July 18, 2021July 18, 2021
While Apple is testing iOS 14.7 with beta testers right now, iOS 14.6 is the latest version available to everyone else. That means the best iPhone software available to the world, as of today, appears to remain vulnerable to Pegasus.
Those involved in the investigation intend to release a list of the people whose numbers appeared on the list of potential targets. It's said to include business executives, journalists, religious figures, and even government officials.
