Apple releases update fixing NSO spyware vulnerability affecting Macs, iPhones, iPads and Watches

Citizen Lab said the vulnerability would give hackers access to a device without the victim even clicking anything.
Written by Jonathan Greig, Contributor

Apple has released an urgent security update for Mac, iPhone, iPad and Watch users after researchers with Citizen Lab discovered a zero-day, zero-click exploit from mercenary spyware company NSO Group that gives attackers full access to a device's camera, microphone, messages, texts, emails, calls and more.

Citizen Lab said in a report that the vulnerability -- tagged as CVE-2021-30860 -- affects all iPhones with iOS versions prior to 14.8, all Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina and all Apple Watches prior to watchOS 7.6.2.

Apple added that it affects all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation. 

CVE-2021-30860 allows commands to be executed when files are opened on certain devices. Citizen Lab noted that the vulnerability would give hackers access without the victim even clicking anything. Citizen Lab previously showed that repressive governments in Bahrain, Saudi Arabia and more had used NSO Group tools to track government critics, activists and political opponents. 

Also: 'California Streaming' the iPhone 13: What to expect and how to watch today's Apple event

Ivan Krstić, head of Apple Security Engineering and Architecture, told ZDNet that after identifying the vulnerability used by this exploit for iMessage, Apple "rapidly developed and deployed a fix in iOS 14.8 to protect our users." 

"We'd like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals," Krstić said. 

"While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."

John Scott-Railton, a senior researcher at Citizen Lab, spoke out on Twitter to explain what he and Citizen Lab senior research fellow Bill Marczak found and reported to Apple. They found that the vulnerability has been in use since at least February. Apple credited them with discovering it. 

"Back in March my colleague Bill Marczak was examining the phone of a Saudi activist infected with Pegasus spyware. Bill did a backup at the time. A recent a re-analysis yielded something interesting: weird looking '.gif' files. Thing is, the '.gif' files...were actually Adobe PSD & PDF files...and exploited Apple's image rendering library. Result? Silent exploit via iMessage. Victim sees *nothing,* meanwhile Pegasus is silently installed and their device becomes a spy in their pocket," Scott-Railton explained.

"NSO Group says that their spyware is only for targeting criminals and terrorists. But here we are...again: their exploits got discovered by us because they were used against an activist. Discovery is inevitable byproduct of selling spyware to reckless despots. Popular chat apps are the soft underbelly of device security. They are on every device and some have a needlessly large attack surface. Their security needs to be a *top* priority."

In a longer report about the vulnerability, Citizen Lab researchers said that it is the "latest in a string of zero-click exploits linked to NSO Group." 

NSO Group has faced significant backlash globally after researchers discovered that governments, criminals and others were using its Pegasus spyware to tacitly track thousands of journalists, researchers, dissidents and even world leaders. 

"In 2019, WhatsApp fixed CVE-2019-3568, a zero-click vulnerability in WhatsApp calling that NSO Group used against more than 1,400 phones in a two-week period during which it was observed, and in 2020, NSO Group employed the KISMET zero-click iMessage exploit," the researchers said.

They said their latest discovery "further illustrates that companies like NSO Group are facilitating 'despotism-as-a-service' for unaccountable government security agencies." 

"Regulation of this growing, highly profitable, and harmful marketplace is desperately needed," they added. 

Reuters reported that since the concerns about NSO Group were raised publicly earlier this year, the FBI and other government agencies across the world have opened investigations into their operations. NSO Group is based in Israel, prompting the government there to kickstart its own investigation into the company. 

The company designed tools to specifically get around Apple's BlastDoor defense that was implemented in iMessage to protect users. 

Ryan Polk, senior policy advisor with the Internet Society, told ZDNet that the Pegasus-NSO case is a proof point for the dire consequences posed by encryption backdoors. 

"The tools built to break encrypted communications inherently run the risk of falling into the wrong hands -- placing all who rely on encryption in greater danger. Imagine a world where tools like Pegasus come built in every app or device -- however, unlike now, companies have no option to remove them and all users are targeted," Polk said. 

"End-to-end encryption keeps everyone safe, especially those from vulnerable communities -- like journalists, activists, and LGBTQ+ community members in more conservative countries."

In 2016, cybersecurity company Lookout worked with Citizen Lab to discover Pegasus. Hank Schless, senior manager of security solutions at Lookout, said the tool has continued to evolve and take on new capabilities. 

It can now be deployed as a zero-click exploit, which means that the target user doesn't even have to tap a malicious link for the surveillanceware to be installed, Schless explained, adding that while the malware has adjusted its delivery methods, the basic exploit chain remains the same. 

"Pegasus is delivered via a malicious link that's been socially engineered to the target, the vulnerability is exploited and the device is compromised, then the malware communicated back to a command-and-control (C2) server that gives the attacker free reign over the device. Many apps will automatically create a preview or cache of links in order to improve the user experience," Schless said. 

"Pegasus takes advantage of this functionality to silently infect the device." 

He added that NSO has continued to claim that the spyware is only sold to a handful of intelligence communities within countries that have been vetted for human rights violations. But the recent exposure of 50,000 phone numbers linked to targets of NSO Group customers was all people needed to see right through what NSO claims, he added. 

"This exemplifies how important it is for both individuals and enterprise organizations to have visibility into the risks their mobile devices present. Pegasus is an extreme, but easily understandable example. There are countless pieces of malware out there that can easily exploit known device and software vulnerabilities to gain access to your most sensitive data," Schless told ZDNet. 

Editorial standards