We knew iOS 14.8 was coming, but the update came earlier than expected.
While the new keynote address takes place tonight, where Apple is expected to unveil a new iPhone and announce the release date of iOS 15, the Apple-based firm is rolling out a new version of its mobile operating system.
Image: iOS 14.8.
The Cupertino company specifies that this update contains two security fixes and is recommended for all users. At the same time, Apple is releasing security patches for its other operating systems, including macOS, iPadOS, and watchOS.
Apple released an urgent security update for Mac, iPhone, iPad, and Apple Watch users after Citizen Lab researchers discovered an exploit. Click “day zero” and “zero”, from the spyware company NSO Group, which would give potential attackers full access to the camera, microphone, messages, text messages, emails, calls, etc. from a device.
Citizen Lab specifies in its report that the vulnerability, labeled CVE 2021-30860, affects all iPhones with iOS versions prior to 14.8, all Mac computers with operating system versions prior to OSX Big Sur 11.6, the update of security 2021-005 Catalina and all Apple watches. older than watchOS 7.6.2. Apple adds that it affects all iPad Pro, iPad Air 2 and later, fifth-generation iPad and later, iPad mini 4 and later, and seventh-generation iPod touch.
CVE-2021-30860 allows you to run commands when opening files on some devices. Citizen Lab notes that the vulnerability would give potential attackers access without the victim even clicking on anything. Citizen Lab has previously shown that repressive governments in Bahrain, Saudi Arabia, and other countries have used the NSO Group’s tools to track down government critics, activists, and political opponents.
A patch developed and implemented quickly by Apple
Ivan Krstić, Apple’s head of engineering and security architecture, tells that after identifying the vulnerability used by this exploit for iMessage, Apple “quickly developed and implemented a patch in iOS 14.8 to protect its users.”
“We would like to congratulate Citizen Lab for completing this rigorous work of obtaining a sample of the exploit, so that we can develop this solution quickly. Attacks such as those described are very sophisticated, cost millions of dollars to develop, often have a short lifespan and are used to target specific individuals, ”he explains.
“Even though this means that they are not a threat to the vast majority of our users, we continue to work tirelessly to defend all of our customers and constantly add new protections for their devices and data. “
Activists spied on
On Twitter, John Scott-Railton recounts the discovery he made at the Citizen Lab with Bill Marczak and reported to Apple. In particular, they noted that the vulnerability had been in use since at least February. Apple gave them credit for this discovery.
“Last March, my colleague Bill Marczak was examining the phone of a Saudi activist infected with Pegasus spyware. Bill made a backup at that time. A recent rescan yielded something interesting: some strange looking “.gif” files. In fact, the .gif files … were Adobe PSD and PDF files … and they took advantage of Apple’s image rendering library. Results? Silent operation through iMessage. The victim sees * nothing *, while Pegasus silently settles in and his device becomes a spy in his pocket, ”describes John Scott-Railton.
“NSO Group says its spyware is only used to target criminals and terrorists. But there you have it … again: his exploits were discovered by us, because they were used against an activist. The discovery is an inevitable by-product of the sale of spyware to reckless thugs. Popular chat apps are the most vulnerable part of device security. They are present in all devices and some have an unnecessarily large attack surface. Your safety must be a top priority. “
Regulate the spyware market
In a longer report on the vulnerability, Citizen Lab researchers write that this is the “latest in a series of zero-click exploits linked to the NSO Group.” The NSO Group faced a massive backlash around the world after investigators discovered that governments, criminals and others were using its Pegasus spyware to tacitly track thousands of journalists, researchers, dissidents and others, including world leaders.
“In 2019, WhatsApp fixed CVE 2019-3568, a ‘zero click’ vulnerability in WhatsApp calls that NSO Group used against more than 1,400 phones in a two-week period in which it was observed,” and in 2020, NSO Group used KISMET’s clickless iMessage exploit, “say the researchers.
They add that their latest discovery “further illustrates that companies like the NSO Group are facilitating” despotism as a service “for unaccountable government security agencies. … Regulation of this rapidly expanding market is desperately needed. , highly profitable and harmful ”.
Tools that could fall into the wrong hands
Reuters reports that since concerns about NSO Group were publicly raised earlier this year, the FBI and other government agencies around the world have opened investigations into its operations.
NSO Group is based in Israel, prompting the Israeli government to launch its own investigation into the company. The company has designed tools to bypass Apple’s BlastDoor defense, implemented in iMessage to protect users.
Ryan Polk, Senior Policy Advisor for the Internet Society, tells that the Pegasus-NSO affair is proof of the dire consequences of encryption back doors: “Tools designed to break encrypted communications risk falling into wrong hands, putting anyone who relies on encryption at risk Imagine a world where tools like Pegasus are built into every application or device, but unlike today, companies don’t have the option to remove them and all users are targeted. (…) End-to-end encryption helps keep everyone safe, especially members of vulnerable communities such as journalists, activists or even members of LGBTQ + communities in more conservative countries.
The risk of mobile devices
In 2016, cybersecurity company Lookout worked with Citizen Lab to find out about Pegasus. Hank Schless, Lookout’s senior director of security solutions, believes the tool has continued to evolve and now has new capabilities – it can now be deployed as a zero-click exploit, meaning the target user doesn’t even need to click a button. malicious link for monitoring software to be installed.
This is what the researcher explains, adding that if the malware has adjusted its delivery methods, the basic chain of exploitation remains the same. “Pegasus is distributed through a malicious link that has been socially designed for the purpose, the vulnerability is exploited and the device is compromised, then the malware is sent back to a command and control server (C2) that gives the attacker full control of the device. Many applications automatically create a link preview or cache to improve the user experience, ”explains Hank Schless. “Pegasus takes advantage of this feature to silently infect the device. “
It adds that the NSO Group continues to claim that spyware is only sold to a handful of intelligence communities, in countries known to respect human rights. But the recent exposure of 50,000 phone numbers, tied to the NSO Group’s client goals, has undermined this argument and more clearly shows the NSO Group’s ambitions, he said.
“This case shows how important it is for individuals and businesses to have visibility into the risks posed by their mobile devices. Pegasus is an extreme example, but easily understandable. There are countless malware that can easily exploit known vulnerabilities in devices and software to gain access to your most sensitive data, ”warns Hank Schless.