Apple has issued a software patch to block so-called “zero-click” spyware that could infect iPhones and iPads.
Independent researchers identified the flaw, which lets hackers access devices through the iMessage service even if users do not click on a link or file.
The problem affects all of the technology giant’s operating systems, the researchers said.
Apple said it issued the security update in response to a “maliciously crafted” PDF file.
The flaw was a “zero-day” vulnerability, a term that refers to recently discovered bugs that hackers can exploit and haven’t yet been patched. Victims didn’t have to click on the malicious file for it to infect their devices, something known as a “zero-click” exploit, according to a report released by Citizen Lab, a cyber-research unit of the University of Toronto.
“What this highlights is that chat apps are the soft underbelly of device security,” John Scott-Railton, senior researcher at Citizen Lab, said in a text message. “They are ubiquitous, which makes them really attractive, so they are an increasingly common target for attackers.
Analysis by Joe Tidy, Cyber Reporter
Apple’s iMessage is one of the most secure messaging apps in the world but clearly it had a dangerous weakness that a hacking team found and exploited.
The news will embarrass Apple which prides itself on being a secure and safe system.
The revelation is potentially another blow to the reputation of NSO Group which is still reeling from recent accusations of widespread spy hacks on innocent people.
It also highlights once again that no device is fully safe if a determined, well-funded team wants to hack it and is paid enough to do so.
The good advice from all corners is for iOS users to update the security software of their devices as soon as possible to patch up the security hole.
But for the vast majority of users, the risk of being a target of this expensive and highly-skilled hacking, is low.
The White House has raised concerns about NSO Group with senior Israeli officials, the Washington Post reported.
In December, Citizen Lab reported that NSO spyware was used to target the devices of 36 Al Jazeera employees. Citizen Lab said that it believed the hacks were carried out on behalf of Saudi Arabia and the United Arab Emirates. The hack in 2020 is similar to the one disclosed Monday because it didn’t require the victim to click on a malicious link, meaning there is no way to defend from the hack. NSO Group denied the report.