Apple fixes operating systems due to “clickless” spyware exploit
IIn mid-September, Apple was forced to release an emergency security update for its iPhone, iPad, Mac and Watch operating systems after being alerted to a “clickless” exploit allegedly related to the software surveillance Pegasus distributed by the Israeli company NSO Group.
The Citizen Lab, a Canadian human rights and security group, alerted Apple to the exploit, dubbed FORCEDENTRY. The exploit targeted Apple’s image rendering library, which was found on the phone of a Saudi activist that Citizen Lab reviewed in March. The exploit uses “maliciously crafted” PDF files that could lead to “the execution of arbitrary code,” Apple said in a security bulletin.
Citizen Lab’s “click-free” designation means that Apple users do not need to open the PDF sent to them for spyware to infect their devices. Instead, Pegasus gives attackers “virtually unlimited access to the victim’s device, where it can monitor messages, listen to calls, activate the camera, etc.” said Daniel Markuson, digital privacy expert. at NordVPN.
The Citizen Lab has spearheaded recent reports on the NSO Group’s surveillance software, with reports in July claiming that the company’s military-grade Pegasus product had been used to spy on corporate executives, journalists, human rights defenders and government officials. NSO Group disputed the report, saying it sells the software to governments to fight crime and terrorism.
But with some NSO customers using the software to spy on other people, several security experts have urged Apple users to update their devices immediately.
“These new accusations are causing heightened concern among privacy activists that no smartphone user, even those who use software like WhatsApp or Signal, is immune to a breach of their privacy,” Markuson told the Washington Examiner. “Computer surveillance can be a real threat to both individuals and institutions, and this situation with NSO Group only puts this long-standing problem in the spotlight.”
Pegasus exemplifies the importance of comprehensive mobile security efforts in an organization, added Hank Schless, senior director of security solutions at Lookout, a security provider who has researched Pegasus for years.
“There is countless malware that can easily exploit known vulnerabilities in devices and software to gain access to your most sensitive data,” he told the Washington Examiner. “Once the attacker has control of a mobile device or even compromises the user’s credentials, they have free access to your entire infrastructure.”
Once attackers gain access to a company’s cloud or on-premises applications, “they can move sideways and identify sensitive assets to be encrypted for a ransomware attack or exfiltrate to sell to the highest bidder,” he said. added.
Meanwhile, some security experts have said there appears to be little recourse available to Apple and its customers beyond fixes. Holding NSO Group legally responsible would be complicated for US-based Apple given that NSO is based in Israel and attribution of the exploit is not 100% solid, some said.
“Selling zero-day vulnerabilities is a lucrative business practice and has well-established roots,” noted Keatron Evans, senior security researcher at InfoSec Institute, a security training provider. “Governments, law enforcement and even private industry have a long history of paying security researchers for zero-day exploits. “
Meanwhile, much of the responsibility for protecting devices lies with the consumer, he told the Washington Examiner.
“It has become common practice that when a company’s software is found to have zero-day vulnerabilities and exploits are written to take advantage of those exploits, those companies create a patch to fix it.” , did he declare. “Then it becomes the problem of the consumer to deal with the repercussions they have had as a result of exploiting the software, or the potential of its exploitation.”
The apparent abuse of Pegasus raises troubling questions, even if attackers are unlikely to “waste” these exploits on everyday consumers, he added. Additionally, he said agencies using these surveillance tools could have their own security holes, which could potentially compromise their surveillance data caches.
“A real question here is whether law enforcement is buying these exploits, and we know their networks and data storage locations are susceptible to breach, is it acceptable for law enforcement to have access to these mighty feats? “
Washington Examiner Videos
Key words: Cybersecurity, Technology, Surveillance, Data Mining, Privacy, Apple, iPhone, Hacking, Business
Original author: Gross grant
Original location: Apple fixes operating systems due to “clickless” spyware exploit