It’s not just you. Emergency software fixes, in which users are tricked into updating phones and computers immediately because hackers have found a new way to break in, are increasingly common.
Researchers sounded the alarm on Monday over a major problem: Israeli spyware company NSO Group, which sells programs to governments to remotely support people’s smartphones and computers, found a new way to access virtually any Apple device by sending fake GIF through iMessage. The only way to prevent this is to install Apple’s Emergency Software Update.
Such emergency vulnerabilities are called “zero days” – a reference to the fact that they are such an urgent vulnerability in a program that software engineers have zero days to write a patch. Against a hacker with the correct day zero, there is nothing consumers can do but wait for software updates or ditch devices altogether.
Once viewed as high-value cyber weapons owned primarily by elite government hackers, publicly disclosed zero-day exploits are on the rise. Project Zero, a Google team dedicated to identifying and cataloging zero days, counted 44 of them this year alone, where hackers likely discovered them before researchers. This is already a large increase compared to last year, which saw 25. The number has increased every year since 2018.
Katie Moussouris, founder and CEO of Luta Security, a company that connects cybersecurity researchers and businesses with vulnerabilities, said the zero-day increase is due to the ad hoc way software is typically programmed, which deals with often safety as an afterthought.
“It was absolutely inevitable,” she said. “We have never addressed the root cause of all of these vulnerabilities, which is not strengthening security from the ground up. “
But almost paradoxically, the zero-day rise reflects an online world in which some individuals are more vulnerable, but most are actually more secure from hackers.
The Citizen Lab, the University of Toronto’s cybersecurity research center that discovered Monday’s vulnerability, only saw it because it was examining a Saudi dissident’s iPhone. And the lab was inclined to seek him out because it has repeatedly discovered that Saudi Arabia is using NSO spyware to target dissidents in the kingdom, including associates of murdered Washington Post columnist Jamal Khashoggi.
But while those targeted by the Saudi government are expected to be on extremely high alert, most individuals could actually be safer. Because major operating systems tend to have better security solutions in place, it means hackers often have to acquire and use one or more zero-day exploits to take full control of people’s smartphones, Maddie said. Stone, a Project Zero security researcher.
Most people have more to worry about important data leaks from private companies.
“A lot of people don’t have to worry about [zero days] day to day, ”Stone said on a phone call. “It would seem counterintuitive to most, but seeing the number of days zero increase is actually a response to the increase in security defenses deployed on a much larger scale. “
Of course, users still need to update their phones to benefit from this security, especially because the announcement of a new zero day could cause more hackers to reverse engineer to access any phone running a virus. old version of their operating system.
“I believe more of us in the audience need to be worried,” Stone said. Because if fewer people can be hacked, “these instances of zero day attacks tend to have a much bigger impact.”