A cybersecurity organization discovered that the controversial software targeted “Apple’s image rendering library, and worked against Apple iOS, MacOS, and WatchOS devices,” the Apple-branded operating systems.
Apple had to urgently repair a computer flaw that the controversial Pegasus software was able to exploit to infect iPhones despite the vigilance of users, demonstrating that no company, no matter how technologically advanced, is immune.
Spyware from Israeli company NSO has successfully hacked Apple-branded devices without resorting to trick links or buttons, the technique commonly used. The flaw was spotted last week by Citizen Lab researchers, who discovered that a Saudi activist’s iPhone had been infected via iMessage, Apple’s messaging system.
This University of Toronto cybersecurity organization explained on September 13 that Pegasus has been using this vulnerability “since at least February 2021”. “This ‘exploit’, which we called FORCEDENTRY, targets Apple’s image rendering library, and worked against Apple iOS, MacOS and WatchOS devices,” the operating systems of smartphones, computers and smartwatches from the apple mark.
“After identifying this flaw […], Apple quickly developed and deployed a patch in iOS 14.8 to protect our users, ”said Ivan Krstić, director of security systems at Apple. The Californian group praised Citizen Lab for its work and stressed that this type of “ultra sophisticated” attacks “cost millions of dollars, do not last long and are used to target specific people.” They are therefore “not a threat to the overwhelming majority of our users,” said Ivan Krstić.
Pegasus allows “to buy your own NSA”
Apple’s update, which has made the security of its phones and computers a major selling point, shows the growing difficulty for companies, including the Silicon Valley giants, to cope with growing computer threats. more efficient.
“In the past, users could be trained to avoid infection by watching out for suspicious text messages and not clicking on links to numbers they didn’t know,” said Kevin Dunne, president of Pathlock, a cybersecurity. “But now attackers arrive, without any click, to access all the data of a phone, its microphone and its camera, through the flaws of third-party applications or even present by default”, alert-t- he.
Data theft and ransomware attacks have increased in recent months, targeting various companies and organizations, including a US pipeline operator and a major Indian airline. But NSO-related spy hacks are unique in that they come from legal authorities or agencies, using software provided by a company, and not from anonymous criminals. “NSO will continue to equip intelligence agencies and law enforcement around the world with technologies that save lives and help fight crime and terrorism,” responded for its part the Israeli company that markets Pegasus.
Citizen Lab had played a key role in bringing the mass espionage scandal to light via Pegasus in July. According to information from a consortium of 17 media, in France, an issue of Emmanuel Macron, former Prime Minister Edouard Philippe and 14 members of the government appeared “in the list of issues selected by a security service of the ‘Moroccan state, user of Pegasus spyware, for potential piracy’. In all, according to the associations Amnesty and Forbidden Stories, the case concerns a list of 50,000 telephone numbers around the world selected since 2016 by NSO customers.
Pegasus allows “to buy its own NSA”, that is to say its own American intelligence agency, had joked in July Ron Deibert, the director of Citizen Lab. “Selling these technologies to governments who will use them in violation of international and human rights law ultimately facilitates the discovery of this software by research organizations, as we and others have shown on multiple occasions. This was still the case this time, ”the laboratory said on September 13.
Last March, the American think tank Atlantic Council had already sounded the alarm on the dangerous role played by NSO and other companies specializing in the sale of intrusion tools in smartphones and other computer systems. These experts and politicians like German Chancellor Angela Merkel have called for more restrictions on the sale of this type of software, operated by states, but also other organizations.