Apple on Monday advised all users to update their devices after researchers warned that the Israeli spyware company NSO Group had developed a way to take control over nearly any Apple computer, watch or iPhone.
“It’s absolutely terrifying,” said John Scott-Railton, a senior researcher at The Citizen Lab, which recently discovered the software exploit and notified Apple about it. The group published a report about it Monday.
The malicious software takes control of an Apple device by first sending a message through iMessage, the company’s default messaging app, and then hacking through a flaw in how Apple processes images. It is what’s known in the cybersecurity industry as a “zero-click” exploit — a particularly dangerous and pernicious flaw that doesn’t require a victim clicking a link or downloading a file to take over.
People whose devices have been exploited are extremely unlikely to realize they’ve been hacked, Scott-Railton said.
“The user sees crickets while their iPhone is silently exploited,” he said. “Someone sends you a GIF that isn’t, and then you’re in trouble. That’s it. You don’t see a thing.”
As is often the case with NSO Group hacking, the newly discovered exploit is both technologically remarkable but likely only used on people specifically targeted by governments who use the company’s software.
NSO Group creates surveillance and hacking software that it leases to governments to spy on individuals’ computers and smartphones. For years, it has insisted that its primary product, Pegasus, is a vital tool to stop terrorists and other criminals, and that it merely leases its technology to legitimate governments in accordance with their own laws. It has also insisted it can’t be used to target Americans’ phones, and that it revokes usage from countries that misuse its products.
But Citizen Lab, a cybersecurity research center at the University of Toronto, has repeatedly found instances of Pegasus software used against journalists in Mexico who investigated cartels and Saudi Arabian dissidents, including associates of the slain Washington Post columnist Jamal Khashoggi.
In an emailed statement, an NSO spokesperson said that “NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime.”
An NSO Group spokesperson didn’t immediately return a request for comment.
While Pegasus isn’t known for surveilling large numbers of people, governments often use it to target individuals who don’t appear to be violent criminals, said Bill Marczak, a Citizen Lab senior research fellow. Citizen Lab was only able to identify this exploit because it was examining the phone of a Saudi dissident who so far has not given permission to share his name with the public, he said.
“In this case, it’s pretty clear that this person was targeted for being an activist and not for any other reason,” Marczak said.
Apple didn’t published technical notes with a new software update available Monday that addressed flaws identified by Citizen Lab. The company noted that “this issue may have been actively exploited.”
In an emailed statement, Apple’s head of Security Engineering and Architecture, Ivan Krstić, thanked Citizen Lab for alerting the company to the exploit.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Krstić said.
Updating to the latest version of iOS or Mac OS will keep users from being newly infected with this particular exploit, Scott-Railton said.
“This will prevent you from being infected with this exploit going forward,” he said. “But what we know is NSO is always trying to find other ways to infect people’s phones, and they may turn to something else.”