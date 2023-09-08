Apple has released an emergency software update after discovering a previously unknown vulnerability that allowed Israel’s NSO Group to remotely inject its Pegasus spyware onto iPhones and iPads. The vulnerability, known as a zero-day, enabled NSO customers, including countries like Saudi Arabia, Rwanda, and Mexico, to hide malicious code within images sent via iMessage. This code would then grant the Pegasus spyware full control over the device. Pegasus is a powerful spyware capable of unrestricted access to a device’s functionalities, such as reading encrypted messages, activating the camera and microphone remotely, and tracking the device’s location.

The discovery of this vulnerability prompted Apple to issue a patch, which also addressed a separate vulnerability affecting Apple Wallet. The company has not provided further details but emphasized the importance of the update for billions of iPhone users. This incident highlights the ongoing cat-and-mouse game between major tech companies, like Apple, and spyware manufacturers, mainly based in Israel, who exploit unknown vulnerabilities for surveillance purposes. Government agencies often utilize these vulnerabilities to monitor targets covertly.

NSO Group, the company behind Pegasus, has previously claimed that its product is intended for counterterrorism and combating organized crime. However, the recent vulnerability was uncovered by the University of Toronto’s Citizen Lab, which found it on the phone of a Washington, DC-based employee of a civil society organization with international offices. Citizen Lab has exposed the presence of Pegasus on devices belonging to dissidents, journalists, lawyers, and opposition leaders in countries with poor human rights records.

The discovery of this new vulnerability demonstrates NSO’s ability to find rare weaknesses in sophisticated operating systems, even amidst financial challenges resulting from US government sanctions. NSO, predominantly staffed by former members of the Israeli army’s signals intelligence units, was once valued at $1 billion by its private equity backers. However, a 2019 hack targeting the WhatsApp messaging platform resulted in legal action from WhatsApp’s owner, Meta, along with Apple, Amazon, and other tech giants. NSO has argued that its actions should be exempt from legal scrutiny since its software is used by sovereign nations, and the company lacks visibility over the targets of the spyware.

In recent weeks, at least three individuals, including a UK-based political reporter for the Daily Mail, received notifications from Apple disclosing that their phones had been targeted by state actors. It remains unclear whether these attacks originated from NSO’s systems or those of its competitors.