A day before Apple is expected to release iOS 15 and other new software versions alongside the iPhone 13 launch, the company released iOS 14.8 as an emergency update to fix an exploit that allowed spyware reportedly like that used by the Israel-based NSO Group to infect iPhones, Apple Watches, and Mac computers without users needing to click on anything.
The exploit is serious enough for Apple to have been sprinting to fix it since the company was alerted to it last Tuesday by Canadian cybersecurity firm Citizen Lab, per the New York Times (opens in new tab). In addition to iOS 14.8, Apple released iPadOS 14.8, watchOS 7.6.2, and macOS Big Sur 11.6, which users are advised to download immediately. It’s unclear if the exploit affects beta versions of upcoming software like iOS 15 (we’ve reached out to Apple to confirm).
The spyware, called Pegasus, quietly downloaded PDF files (intentionally mislabeled as .gif images) to users’ devices without their permission – and unlike other malicious code, without needing users to click on suspicious links or manually download files. Thus, this type of ‘zero click’ exploit is even more dangerous, potentially existing on devices for months without the owners noticing.
Once the PDFs got on a device, Pegasus could activate cameras and microphones, record messages and other communications (even if encrypted) and forward that info back to the cybersurveillance firm NSO Group – and conceivably, its clients.
Apple credited Citizen Lab for alerting the company to the issue:
"After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users," Ivan Krstić, head of Apple Security Engineering and Architecture, told TechRadar over email. "We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Analysis: Update iOS 14? In our moment of iOS 15 triumph?
If anything sells the importance of the iOS 14.8 update, it’s that Apple chose to rush it out ahead of iOS 15, which we’re expecting to arrive on September 14 or shortly thereafter following the iPhone 13 launch. Given that every phone running iOS 14 (iPhone 6S and newer) will be able to download the new iOS 15, it’s telling that Apple pulled out the stops to make it available – and didn’t even beta test it, per 9to5Mac (opens in new tab).
To be clear, the iOS 14.8 update is undoubtedly much smaller than iOS 15, and the same is true for the minor updates coming to iPadOS, watchOS, and macOS – so hopefully that makes it easier for folks to swallow.
As previously mentioned, it’s unclear if this exploit worked on iOS 15 public beta and other early versions of other device software; since we haven’t seen similar spyware-blocking updates for the iOS 15 and iPadOS 15 betas, we’d guess not. But Apple is getting wise to this type of exploit: the company confirmed to the New York Times that it’s adding spyware barriers to its next iOS 15 update later this year.
- Expect iPhone 13 and Apple Watch 7 on September 14, iPad and Mac to come later