If you're one of those people who perpetually ignore software updates, don't ignore this one. After a cyber security research company recently revealed a massive security exploit, Apple has issued an emergency update for iOS and macOS operating systems. This zero-click exploit could infect your Apple device with spyware without you ever knowing.
According to this report by the University of Toronto's Citizen Lab, the ForcedEntry zero-click exploit can pretty much compromise all Apple devices such as phones, tablets, smartwatches, and computers.
Citizen Lab researchers first spotted signs of ForcedEntry in March while analyzing the phone of a Saudi activist who was infected with spyware created by the NSO Group. This Israeli spyware company has been accused of selling governments worldwide software designed to spy on private citizens, particularly journalists and activists. Citizen Lab notified Apple of its findings on September 7, a week before releasing its report to the public, prompting the emergency update.
ForcedEntry isn't a run-of-the-mill exploit. It takes advantage of a massive security flaw in iMessage, Apple's built-in text messaging platform. The way it works is that a hacker sends an invisible text message to the intended victim, giving them unfettered access to everything on their device upon receipt, letting the hacker install spyware that could monitor their phone calls and even remotely access their cameras. The terrifying thing about these zero-click exploits is that the victims don't realize what's happened until it's too late.
The report also linked the NSO Group with another zero-click attack back in 2019. NSO found a similar vulnerability in Whatsapp and infected the phones of over 1400 users connected to a Human Rights Facebook group with its spyware. Currently, there's no telling on how many users' phones may have been targeted and/or compromised. NSO Group has denied all allegations of wrongdoing.
Citizen Lab's concludes its report with a call to action for regulation against companies like NSO Group:
“Our latest discovery of yet another Apple zero day (term for a computer-software vulnerability is known to interested parties) employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating 'despotism-as-a-service' for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.”
The best way to protect yourself and your Apple products right now is by making sure all your Apple devices have the current software update issued on Monday, September 13. Apple is expecting to announce a slate of new devices today, so it will be interesting to see if the company addresses the emergency fix in the keynote.