Apple has released a suite of new updates for iOS, macOS, and watchOS to fix a bug that security researchers at Citizen Lab say was very likely exploited to allow government agencies to install spyware into the phones of journalists, lawyers, and activists.
The researchers say the bug allowed for a “zero-click” install (meaning the target didn’t have to do anything to be infected) of the Pegasus spyware, which is reportedly capable of stealing data, passwords, and activating a phone’s microphone or camera.
Security researchers have found evidence of attempted or successful installations of Pegasus, software made by Israel-based cybersecurity company NSO Group, on 37 phones of activists, journalists, and businesspeople. The activists and others appear to have been targets of secret surveillance by software that’s intended to pursue criminals and terrorists.
Given the severity of the exploit, you should update to iOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2 as soon as you can. It has become a politically explosive issue that has put Israel under pressure, not just by activists, but also by governments worried about misuse of the software. France and the United States have raised concerns, and NSO has suspended some countries’ Pegasus privileges.
On Monday, Apple reportedly fixed a security hole that Pegasus exploited for installation on iPhones. Malware often uses collections of such vulnerabilities to gain a foothold on a device and then expand privileges to become more powerful. NSO Group’s software also runs on Android phones.
Pegasus is the latest example of how vulnerable we all are to digital prying. Most personal information — photos, text messages, and emails — is stored on phones. Spyware can reveal directly what’s going on in our lives, bypassing the encryption that protects data sent over the internet.
What is NSO Group and Pegasus?
It’s a company that licenses surveillance software to government agencies. The company says its Pegasus software provides a valuable service because encryption technology has allowed criminals and terrorists to go “dark.” The software runs secretly on smartphones, shedding light on what their owners are doing. Other companies provide similar software.
Chief Executive Shalev Hulio co-founded the company in 2010. NSO also offers other tools that locate where a phone is being used, defend against drones, and mine law enforcement data to spot patterns.
NSO has been implicated by previous reports and lawsuits in other hacks, including a reported hack of Amazon founder Jeff Bezos in 2018. A Saudi dissident sued the company in 2018 for its alleged role in hacking a device belonging to journalist Jamal Khashoggi, who had been murdered inside the Saudi embassy in Turkey that year.
Pegasus is NSO’s best-known product. It can be installed remotely without a surveillance target ever having to open a document or website link, according to The Washington Post. Pegasus reveals all to the NSO customers who control it — text messages, photos, emails, videos, contact lists — and can record phone calls. It can also secretly turn on a phone’s microphone and cameras to create new recordings.