UNITED STATES NEWS

Apple fixes security hole reportedly used to hack an iPhone

Sep 13, 2021, 6:00 PM | Updated: Sep 15, 2021, 2:04 pm
FILE - In this Tuesday, Aug. 24, 2021, file photo, a logo adorns a wall on a branch of the Israeli ...

FILE - In this Tuesday, Aug. 24, 2021, file photo, a logo adorns a wall on a branch of the Israeli NSO Group company, near the southern Israeli town of Sapir. Apple released an emergency security software patch to fix a vulnerability that an internet watchdog group says allowed spyware from the world’s most infamous hacker-for-hire firm, NSO Group, to infect the iPhone of a Saudi activist without any user interaction. (AP Photo/Sebastian Scheiner, File)

(AP Photo/Sebastian Scheiner, File)

BOSTON (AP) — Apple released a critical software patch to fix a security vulnerability that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action.

Researchers at the University of Toronto’s Citizen Lab said the security issue was exploited to plant spyware on a Saudi activist’s iPhone. They said they had high confidence that the world’s most infamous hacker-for-hire firm, Israel’s NSO Group, was behind that attack.

The previously unknown vulnerability affected all major Apple devices — iPhones, Macs and Apple Watches, the researchers said. NSO Group responded with a one-sentence statement saying it will continue providing tools for fighting “terror and crime.”

It was the first time a so-called “zero-click” exploit — one that doesn’t require users to click on suspect links or open infected files — has been caught and analyzed, the researchers said. They found the malicious code on Sept. 7 and immediately alerted Apple. The targeted activist asked to remain anonymous, they said.

“We’re not necessarily attributing this attack to the Saudi government,” said researcher Bill Marczak.

Citizen Lab previously found evidence of zero-click exploits being used to hack into the phones of al-Jazeera journalists and other targets, but hasn’t previously seen the malicious code itself.

Although security experts say that average iPhone, iPad and Mac user generally need not worry — such attacks tend to be limited to specific targets — the discovery still alarmed security professionals.

Malicious image files were transmitted to the activist’s phone via the iMessage instant-messaging app before it was hacked with NSO’s Pegasus spyware, which opens a phone to eavesdropping and remote data theft, Marczak said. It was discovered during a second examination of the phone, which forensics showed had been infected in March. He said the malicious file causes devices to crash.

Citizen Lab says the case reveals, once again, that NSO Group is allowing its spyware to be used against ordinary civilians.

In a blog post, Apple said it was issuing a security update for iPhones and iPads because a “maliciously crafted” PDF file could lead to them being hacked. It said it was aware that the issue may have been exploited and cited Citizen Lab.

In a subsequent statement, Apple security chief Ivan Krstic commended Citizen Lab and said such exploits “are not a threat to the overwhelming majority of our users.” He noted, as he has in the past, that such exploits typically cost millions of dollars to develop and often have a short shelf life. Apple didn’t respond to questions regarding whether this was the first time it had patched a zero-click vulnerability.

Users should get alerts on their iPhones prompting them to update the phone’s iOS software. Those who want to jump the gun can go into the phone settings, click “General” then “Software Update,” and trigger the patch update directly.

Citizen Lab called the iMessage exploit FORCEDENTRY and said it was effective against Apple iOS, MacOS and WatchOS devices. It urged people to immediately install security updates.

Researcher John Scott-Railton said the news highlights the importance of securing popular messaging apps against such attacks. “Chat apps are increasingly becoming a major way that nation-states and mercenary hackers are gaining access to phones,” he said. “And it’s why it’s so important that companies focus on making sure that they are as locked down as possible.”

The researchers said it also undermines NSO Group’s claims that it only sells its spyware to law enforcement officials for use against criminals and terrorists and audits its customers to ensure it’s not abused.

“If Pegasus was only being used against criminals and terrorists, we never would have found this stuff,” said Marczak.

Facebook’s WhatsApp was also allegedly targeted by an NSO zero-click exploit. In October 2019, Facebook sued NSO in U.S. federal court for allegedly targeting some 1,400 users of the encrypted messaging service with spyware.

In July, a global media consortium published a damning report on how clients of NSO Group have been spying for years on journalists, human rights activists, political dissidents, and people close to them, with the hacker-for-hire group directly involved in the targeting. Amnesty International said it confirmed 37 successful Pegasus infections based on a leaked targeting list whose origin was not disclosed.

One case involved the fiancee of Washington Post journalist Jamal Khashoggi just four days after he was killed in the Saudi Consulate in Istanbul in 2018. The CIA attributed the murder to the Saudi government.

The recent revelations also prompted calls for an investigation into whether Hungary’s right-wing government used Pegasus to secretly monitor critical journalists, lawyers and business figures. India’s parliament also erupted in protests as opposition lawmakers accused Prime Minister Narendra Modi’s government of using NSO Groups’ product to spy on political opponents and others.

France is also trying to get to the bottom of allegations that President Emmanuel Macron and members of his government may have been targeted in 2019 by an unidentified Moroccan security service using Pegasus. Morocco, a key French ally, denied those reports and is taking legal action to counter allegations implicating the North African kingdom in the spyware scandal.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

United States News

Associated Press

Michigan vigil prays for missionaries kidnapped in Haiti

HART, Mich. (AP) — More than 100 people gathered Sunday in a small Michigan town to pray for the safe release of a local family among 17 members of a missionary group kidnapped by a gang in Haiti more than a week ago. The vigil in the western Michigan community of Hart took place after […]
18 hours ago
Houston Astros manager Dusty Baker Jr. holds the trophy after their win against the Boston Red Sox ...
Associated Press

Braves vs Astros: A World Series 6 decades in the making

HOUSTON (AP) — Freddie Freeman swinging onto baseball’s biggest stage for the first time, Jose Altuve & Co. back for more. Luis Garcia, Framber Valdez and a fresh set of Houston arms facing Ozzie Albies, Austin Riley and these eager, young Atlanta bats. And the endless quest for Mr. Dusty Baker. Braves-Astros, a lot to […]
18 hours ago
Sen. Joe Manchin, D-W.Va., a key holdout vote on President Joe Biden's domestic agenda, chairs a he...
Associated Press

Biden, Manchin and Schumer huddle, but still no budget deal

WASHINGTON (AP) — Deadline driven, President Joe Biden brought two pivotal senators — Joe Manchin and Chuck Schumer — to his Delaware home Sunday for talks aimed at resolving the disputes that have stymied the Democrats’ wide-ranging social safety net and environmental measure. The White House said the breakfast meeting with New York’s Schumer, the […]
18 hours ago
Associated Press

Plane from NY to LA makes emergency landing in Wisconsin

MADISON, Wis. (AP) — An American Airlines plane traveling from New York to Los Angeles was forced to make an emergency landing Sunday afternoon in Wisconsin, according to officials with the airline and the Dane County Regional Airport in Madison. An airport official said the plane landed without incident around 2:19 p.m. Central time after […]
18 hours ago
Associated Press

Bill would address higher military uniform prices for women

CONCORD, N.H. (AP) — U.S. Sen. Maggie Hassan of New Hampshire said she has introduced a bill to address a so-called “pink tax” in the military, a reference to the higher prices women service members often pay for their uniforms. Hassan, a Democrat, and Republican U.S. Sen. Joni Ernst, of Iowa, recently introduced the bill […]
18 hours ago
A caravan of migrants, mostly from Central America, head north along coastal highway just outside o...
Associated Press

2,000 migrants continue walk through southern Mexico

HUEHUETAN, Mexico (AP) — A group of about 2,000 mainly Central American migrants continued their mass trek from the southern Mexico city of Tapachula on Sunday, reaching a town about 16 miles (26 kilometers) away. Migrants started out before dawn to avoid the burning heat. Mostly from Honduras and El Salvador, many were accompanied by […]
18 hours ago

Sponsored Articles

...
DISC DESERT INSTITUTE FOR SPINE CARE

What you need to know about spine health

With 540 million people suffering from lower back pain, it remains the leading cause of long-term disability. That’s why World Spine Day on Oct. 16 will raise awareness about spinal health with its theme, BACK2BACK. “BACK2BACK will focus on highlighting ways in which people can help their spines by staying mobile, avoiding physical inactivity, not overloading […]
...
Day & Night Air Conditioning, Heating and Plumbing

Why fall maintenance is important for your heating system and A/C

It’s easy to ignore your heater and air conditioner when they’re working but the moment something breaks, you will likely regret not keeping up with maintenance. After all, if something goes wrong, you may be stuck with a repair that will take longer and be more expensive than simple maintenance.
...
PNC Bank

3 cool tips to turn everyday moments into learning experiences for your child

Early brain development has a crucial impact on a child’s ability to learn and succeed in school and life. Research has shown that 90% of a child’s brain is developed by age five.
Apple fixes security hole reportedly used to hack an iPhone