Apple issues emergency patch after Pegasus spyware breach

Tech company warned that iPhones and iPads were open to being targeted by state-level clients of Israeli group NSO

Apple has issued an emergency software update after being warned that a previously unknown vulnerability allowed Israel’s NSO Group to inject its Pegasus spyware remotely and surreptitiously on to iPhones and iPads.

The weakness in the iOS code, called a zero-day, appears to have allowed NSO customers, which include Saudi Arabia, Rwanda and Mexico, to hide code within images sent via iMessage that would allow the military-grade Pegasus spyware to take over a phone’s functions.

Pegasus is able to surreptitiously read encrypted messages stored on the phone, turn on its camera and microphone remotely and continuously track the phone’s location, and has been tied to human rights abuses from Mexico to east Africa, resulting in the Israeli company being blacklisted by the US Department of Commerce.

The patch also addresses a vulnerability that affected the Apple Wallet, where people store payment cards, the company said in a brief statement on Thursday night without providing more details as it pushed the update out to billions of phones.


Budget 2024: 'You might have a bit of a bonanza in terms of one-off spending'

Listen | 43:12

This latest patch, among a handful that Apple has issued in recent years, continues a cat-and-mouse game between leading US tech companies and spyware manufacturers, many of them based in Israel, which weaponise and then commercialise unknown vulnerabilities in smartphones so that their clients, which tend to be government agencies, can surveil thousands of targets without being detected.

NSO said: “We are unable to respond to any allegations that do not include any supporting research.”

While NSO has maintained that its product is only meant to be used to monitor potential terrorists and fight organised crime, this vulnerability was discovered by the University of Toronto’s Citizen Lab, which said it found it on the phone of a Washington, DC-based employee of a “civil society” organisation with international offices.

Citizen Lab has previously traced the spyware to the phones of hundreds of dissidents, journalists, lawyers and opposition leaders in countries with poor human rights records. This current breach would have been blocked if people at risk of government surveillance had enabled Lockdown Mode on their iPhones, which severely restricts some functions, including attachments to messages and incoming FaceTime calls from unknown numbers, Citizen Lab said.

“Apple has gotten much more aggressive in its tempo of hunting (for vulnerabilities) and patching, and have also done remarkable work with Lockdown Mode,” said John Scott-Railton, a senior researcher at the watchdog. “This exerts substantial pressure on the mercenary spyware ecosystem and companies like NSO.”

The US government blacklisting was prompted by the discovery of Pegasus on the phones of US embassy employees in Uganda, leading to spyware such as that of NSO being listed as a major counter-intelligence and national security threat to the American government.

The discovery of the latest vulnerability underlines how NSO continues to find rare weaknesses in some of the sophisticated operating systems, despite dire financial problems stemming from the US government’s sanctions against it.

Staffed almost entirely by veterans of the Israeli army’s elite signals intelligence units, the company was once valued at $1bn by its London-based private equity backers, Novalpina Capital.

But a 2019 hack engineered by NSO to inject its spyware using a vulnerability in the ubiquitous WhatsApp messaging platform, resulted in a lawsuit in a California court by WhatsApp’s owner Meta, joined by Apple, Amazon and other tech giants.

In that lawsuit, which is continuing, NSO has argued that its actions should be immune from legal scrutiny since its software is used by sovereign nations, and the company does not have visibility on who the targets are.

In recent weeks, at least three other people, including a UK-based political reporter for the Daily Mail, received notifications from Apple that their phones had been attacked by “state actors”. It’s not yet clear if those attacks originated from NSO’s systems or those of its competitors.

“These attackers are likely targeting you individually because of who you are or what you do,” the notification read. – Copyright The Financial Times Limited 2023