By Isabel Van Brugen
Apple users are being encouraged to update their devices after researchers discovered a security flaw that could allow hackers to secretly install spyware without targets knowing.
The company on Monday released an emergency patch to the vulnerability flaw that allowed advanced spyware to be installed into users’ Apple devices, including iPhones, iPads, Macs, and Apple Watches.
It comes after security researchers at Citizen Lab at the University of Toronto last month uncovered the security flaw that they believe has been used by government clients of Israeli spyware company NSO Group to secretly hack into devices since February.
The researchers were examining the phone of a Saudi activist when they discovered the exploit, and subsequently shared their findings with Apple.
According to Citizen Lab, researchers found that in some cases, NSO Group’s Pegasus malware-infected targeted Apple devices without the users taking any action—what’s known as a zero-click vulnerability. The malware enables hackers to gather a target’s personal information and listen into and read calls and messages.
According to U.S. Cybersecurity and Infrastructure Security Agency (CISA), an attacker could exploit these vulnerabilities to take control of an affected device.
“CISA is aware of public reporting that these vulnerabilities may have been exploited in the wild,” it said.
The speed with which Apple was seeking to find a solution its operating system’s vulnerability highlighted the “absolute seriousness” of the Citizen Lab’s findings, researchers said.
“Today is going to be a rough day at NSO because the lights are going to go out on one of their most productive exploits,” John Scott-Railton, a senior Citizen Lab researcher, told The Guardian.
NSO Group was the focus of recent reports by a media consortium that found the company’s spyware tool Pegasus was used in several instances of successful or attempted phone hacks of business executives, human rights activists, and others around the world.
Those investigations, based on leaked data obtained by the Paris-based journalism nonprofit Forbidden Stories and the human rights group Amnesty International, sparked widespread condemnation of the company.
In July, some 1,000 protesters in Hungary’s capital demanded answers to allegations that the country’s government used Pegasus to secretly monitor critical journalists, lawyers, and business figures. India’s parliament also erupted in protests as opposition lawmakers accused Prime Minister Narendra Modi’s government of using NSO Groups’ product to spy on opponents and others.
The group in a statement to multiple news outlets didn’t address the allegations, but said it will “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”
The Epoch Times has contacted NSO Group for additional comment.
Apple on Monday, without mentioning NSO Group, issued a patch seeking to fix the vulnerability.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Ivan Krstić, head of Apple Security Engineering and Architecture, told USA TODAY in a statement.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Krstić added, noting that the exploit will not affect “the overwhelming majority of our users.”
Last month, human rights experts working with the United Nations called on countries to pause the sale and transfer of spyware and other surveillance technology until governments “put in place robust regulations that guarantee its use in compliance with international human rights standards.”
The Associated Press contributed to this report.