Apple has released a significant security update for iPhones and iPads to patch a newly discovered vulnerability that could allow hackers to install spyware on the devices without any user interaction. The update, iOS 16.6.1, is available for all devices running iOS 16 or later and should be installed as soon as possible.
What is the security flaw and how was it discovered?
The security flaw was discovered by researchers at the University of Toronto’s Citizen Lab, who said the software flaw was being “actively exploited” to deliver commercial spyware called Pegasus developed and sold by the Israeli company NSO Group. Pegasus is an expensive tool typically used to target dissidents, journalists and political opponents, so ordinary users likely have little to fear. Still, Citizen Lab recommends that all users should “immediately” update their devices.
The researchers said they found evidence of the exploit on the phone of an unnamed employee of an international civil society organization who was targeted by NSO Group’s clients. The exploit involved sending malicious images through iMessage that could trigger the execution of arbitrary code on the device. The exploit could bypass Apple’s security features such as BlastDoor and Lockdown Mode, which were designed to protect against such attacks.
Citizen Lab said it notified Apple about the vulnerability on September 7, and Apple released the patch on September 8. Citizen Lab said it will publish a more detailed report on the exploit chain in the future.
How to update your device and protect yourself from spyware?
To install the update, open Settings on your iPhone or iPad, then select “General” followed by “Software Update.” You should see the iOS 16.6.1 software update there; tap to begin the installation. If you don’t see the update, go back to the General page, then tap “About” to check your iOS version number. If it’s 16.6.1, you already have the update installed. If your phone is still using 16.6 or an earlier version, repeat the above steps. If you still don’t see an update, try restarting your phone. If that doesn’t make the update appear, double-check your internet connection and then wait a bit before trying again.
Apple said in a statement that it “rapidly addressed this issue with a fix in iOS 16.6.1 and iPadOS 16.6.1” and that it “continues to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.” Apple also thanked Citizen Lab for their assistance in identifying and reporting the issue.
In addition to updating your device, you can also take some precautions to protect yourself from spyware attacks. Some of these include:
- Avoid clicking on suspicious links or opening unknown attachments in messages or emails
- Use strong passwords and enable two-factor authentication for your accounts
- Review your app permissions and revoke any unnecessary access
- Use a VPN or encrypted messaging apps when communicating online
- Be aware of phishing attempts and social engineering scams
What is NSO Group and why is it controversial?
NSO Group is an Israeli company that develops and sells spyware tools to governments and law enforcement agencies around the world. The company claims that its products are only used for legitimate purposes such as fighting terrorism and crime, but several investigations have revealed that its tools have been used to target human rights activists, journalists, lawyers, politicians and other civil society members.
One of NSO Group’s most notorious products is Pegasus, which can infect a device through various methods such as SMS, email, WhatsApp or iMessage. Once installed, Pegasus can access almost all of the device’s data and functions, such as contacts, messages, photos, videos, emails, calls, GPS location, microphone, camera and more. Pegasus can also evade detection and removal by hiding itself or self-destructing.
In July 2023, a global investigation by a consortium of media outlets called The Pegasus Project revealed that more than 50,000 phone numbers of potential targets of NSO Group’s clients were leaked by an anonymous source. The investigation found that some of the targets included heads of state, ministers, diplomats, journalists, activists and business executives from various countries. The investigation also confirmed that some of the targets were successfully infected with Pegasus spyware.
NSO Group has denied any wrongdoing and said that it has no control over how its customers use its products. The company also said that it follows strict ethical standards and human rights policies and that it investigates any allegations of misuse or abuse of its tools.