Apple issues emergency updates over vulnerability enabling spyware

Apple on Monday released a series of emergency security updates following the discovery of a vulnerability that allowed Israeli company NSO Group to infect Apple products with spyware.

The vulnerability, discovered by researchers at Citizen Lab, applied to Apple iOS, MacOS and WatchOS products, and was described by the researchers as a “zero-day zero-click exploit” targeted against iMessage.

Apple released security updates for each of the products on Monday after Citizen Lab disclosed the vulnerability to the company last week, with Apple noting in the update that it was “aware of a report that this issue may have been actively exploited.”

ADVERTISEMENT

The New York Times first reported the discovery of the vulnerability on Monday.

Citizen Lab researchers discovered the vulnerability while examining the phone of a Saudi Arabian activist that had been known to be infected with an NSO Group spyware program. The vulnerability discovered by the researchers targeted the Apple image rendering library, enabling NSO Group to remotely infect and exploit the targeted devices. 

“This spyware can do everything an iPhone user can do on their device and more,” John Scott-Railton, a senior researcher at Citizen Lab, told The New York Times on Monday. 

Ivan Krstić, head of Security Engineering and Architecture at Apple, told The Hill in a statement Monday that Apple had "rapidly developed" the security updates after identifying the vulnerability. 

"We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly," Krstić said. "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals."

"While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data," Krstić added. 

A spokesperson for NSO Group told The Hill in a statement Monday that "NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime" but did not comment directly on the Citizen Lab report. 

ADVERTISEMENT

This is far from the first time that products from NSO Group, and the company itself, have come under fire for allegations of human rights and privacy abuses. 

Reuters reported last year that the FBI was investigating the use of NSO Group spyware in potential hacking operations against U.S. citizens and organizations along with foreign governments. 

WhatsApp accused NSO Group in 2019 of allowing its spyware to be used by governments to target high-ranking officials. Microsoft filed an amicus brief in support of the case last year.

Spyware has increasingly become a concern beyond NSO Group. 

Microsoft announced in July that it had disrupted the use of what it described as “cyberweapons” manufactured and sold by an “Israel-based private sector offensive actor” to target victims worldwide including journalists and human rights activists.

Citizen Lab published a separate report in July in conjunction with Microsoft’s actions labeling the organization as “Candiru” and noting that the group’s spyware products had likely been sold in recent years to the governments of Uzbekistan, Qatar, Saudi Arabia, the United Arab Emirates and Singapore to monitor targets.

Citizen Lab researchers emphasized Monday that organizations such as NSO Group were helping facilitate “despotism-as-a-service” through selling their products to governments. 

“Despite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains the seeds of their ongoing unmasking,” the researchers wrote in a blog post.

“Selling technology to governments that will use the technology recklessly in violation of international human rights law ultimately facilitates discovery of the spyware by investigatory watchdog organizations, as we and others have shown on multiple prior occasions, and as was the case again here,” they added.

The researchers also underlined the need to secure messaging apps, which have increasingly been seen as an easy target for malicious actors online. 

“As presently engineered, many chat apps have become an irresistible soft target,” the researchers wrote. “Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited.”

Updated at 7:05 p.m.