Apple has recently released an emergency software repair after researchers discovered a security hole that might allow hackers to stealthily install spyware on your Apple devices even if you do nothing, not even click on a link.
The spyware can eavesdrop or steal data from your device. All of Apple’s operating systems are vulnerable, including iPads, Macs, and Apple Watches.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Ivan Krsti?, head of Apple Security Engineering and Architecture, said in a statement to USA TODAY.
The University of Toronto’s Citizen Lab said the “zero-click” flaw allowed Pegasus spyware from the Israeli firm, NSO Group, to infect the iPhone of a Saudi activist by sending an image file via iMessage.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Krsti? said.
Are you at risk of being hacked by shady hackers? Most likely not. However, this isn’t a good justification to leave your Apple devices vulnerable.
Fortunately, the fix is simple. To ensure your devices receive the update, check that you’re using iOS 14.8, iPad OS 14.8, watchOS 7.6.2, macOS Big Sur 11.6, and security update 2021-005 for macOS Catalina. According to Apple, compatible iOS and iPad OS devices include: “iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).”
Security experts at the University of Toronto’s Citizen Lab discovered the zero-day attack and published a study explaining it earlier today. The update is called CVE-2021-30860 by Apple, and Citizen Lab is credited with discovering the problem.
Previous Citizen Lab studies have highlighted NSO’s zero-click attacks on other devices, adding that users with infected devices “may not notice anything suspicious” going on in many situations. According to Citizen Lab researcher John Scott-Railton, whoever is behind the hack can do “everything an iPhone user can do on their device and more” once it’s infected, according to the New York Times. This includes tracking any texts or emails received, any phone calls made, and turning on a device’s camera without the user’s permission.
As with prior comparable exploits, Apple’s hardware team acted quickly to address zero-click vulnerabilities this time. In addition, the company secretly changed the coding behind iOS in February of this year to significantly raise the challenge NSO would face the next time they attempted such a broad yet subtle attack.
As additional information becomes available, this story will be updated.