You should update your iPhone’s software as soon as you can, because a group of Israeli hackers just trashed the entire iOS system’s security.
Lookout and Citizen Lab revealed today that an Israeli company known as the NSO Group has developed spyware that exploits three zero-day exploits in iOS.
This spyware can be used to collect messages, emails, and other information from a wide variety of applications. Getting on a device simply requires hackers to send a text message with a malicious link to their target. If the target (i.e., you) clicks on the link, a program secretly installs spyware called “Pegasus” on the device and uses it to spy on its owner. Pegasus gets in through three finicky glitches that Lookout and Citizen Lab call “Trident” one in the code for Safari, and two in the core of iOS. When a target opens the malicious link, the spyware blasts through “Trident” (the three vulnerabilities) and infects the phone. Here’s how Lookout put it:
“The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.”
Citizen Lab and Lookout’s investigation tied Pegasus to the NSO Group, a shadowy Israeli company that doesn’t have an official website.
Citizen Lab informed Lookout of the vulnerabilities on August 10. Together, the organizations warned Apple about the problem on August 15. The latest version of iOS — 9.3.5 — was released today to protect iPhone users from this spyware. Anyone who uses an iPhone should update their device to this latest version (to do it manually, it’s under the “General” tab in your ‘Settings’ menu.)
This isn’t the first time problems have been discovered in iOS. Researchers at Johns Hopkins University said in March that the encryption used in iMessage could be bypassed to intercept messages.
That was after news broke about Apple trying to create an “unhackable” iPhone after the FBI paid hackers to break into an iPhone 5C that was used by the San Bernardino shooter.
But this hack is unique because it uses so many zero-day exploits and was enabled by a secretive group. A similar hack was sold in 2015 for $1 million — this one could’ve cost the same.
Lookout says it believes Pegasus has “been in the wild for a significant amount of time.” So don’t ignore your iPhone when it says an update is available. Install it, then be glad that Citizen Lab and Lookout discovered it when they did.