Apple Computer recently released an emergency update for a major vulnerability affecting iPhones, iPads, Apple Watches and Mac computers.
The update provides a patch for a zero-click exploit. In layman’s terms: You don’t have to do anything to be compromised. The security hole was exploited through the company’s proprietary iMessage SMS application. Hackers used the vulnerability to install Pegasus spyware, which can intercept texts, tap phone calls, exfiltrate emails and other information on a connected device. Pegasus can also access the smartphone cameras and microphones.
Is Pegasus Dangerous?
Pegasus is the evil genius of an Israeli technology firm called NSO Group. They claim Pegasus is sold exclusively to governments for the purpose of law enforcement.
Leaked reports found more than 50,000 politicians, human rights advocates and journalists were compromised and their communications intercepted using NSO’s spyware. There’s also evidence of Pegasus being used and deployed by members of Mexican drug cartels.
While NSO Group hasn’t been forthcoming about exactly how and where this extremely powerful (and dangerous) spyware has been deployed, the average mobile device user is unlikely to be targeted.
Perhaps the larger issue of concern for Apple device owners is that the company claimed the vulnerability exploited by Pegasus earlier this year had been fixed.
Dubbed “BlastDoor,” Apple’s new security software was, at least in theory, meant to block the potential for any iMessage based hacks, especially where zero-click exploits were concerned. The fact that NSO Group managed to find a workaround within the space of a few months should stand as an object lesson in cybersecurity. No device can be regarded as 100% secure unless it is turned off, placed in a copper mesh bag, and run through a tree chipper.
What should users do?
The most pressing and immediate thing to do is to update any and all Apple-based devices as soon as possible, and to encourage others to do the same.
While the risk of compromise by Pegasus is slim, the vulnerability is still a significant one that could be exploited by other forms of malware, and updating is a quick and painless process.