Spyware developed by the company NSO Group is back in the news today after Apple released an emergency fix for iPhones, iPads, Macs, and Apple Watches. The update fixes a vulnerability silently exploited by software called Pegasus, which is often used in high-level surveillance campaigns by governments.
Pegasus spyware is typically installed on victims' phones using a software exploit that requires little or no user interaction—perhaps no more than a click. The exploits change over time, as they are discovered and patched by Apple.
This most recent exploit is a “zero-day, zero-click” flaw in Apple’s iMessage app that requires no user interaction at all. Known as “FORCEDENTRY”, it was discovered by CitizenLab after a forensic examination of a phone belonging to a Saudi activist.
The exploit has apparently been in use since at least February 2021, and reportedly works on Apple iOS, MacOS, and WatchOS devices.
What should you do next?
Put simply, if you run any of these devices, you must update immediately to iOS 14.8.
As per the description:
Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: An integer overflow was addressed with improved input validation.
CVE-2021-30860: The Citizen Lab
If you want specifics on what exactly is affected, Apple has said the following:
"All iPhones with iOS versions prior to 14.8, All Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2."
The NSO Group says that its spyware is used against criminals and terrorists, but journalists and human rights activists are known to have been targeted by Pegasus attacks, along with political dissidents and business executives at the highest levels. The software can be used to collect all manner of personal data from devices, intercept calls and messages, and much more. If your work is particularly sensitive, it isn’t something you want anywhere near your phone.
Is the sky falling?
Absolutely not. It’s very good practice to keep all of your devices updated. It’s something we should be doing by default. Sometimes you may have to do some updating manually to ensure crucial systems don’t break inside whatever daisy-chain of a network you have in operation. Businesses can typically work around this if needed.
For the most part, you can typically set updates to automatic and deal with them as they come through.
As far as Pegasus goes though, the vast majority of people will never, ever run into a piece of spyware like it. Pegasus campaigns are expensive, and so are the exploits they use. Campaign owners simply do not care about most people enough to waste valuable resources on them. They do care about defined, specific, known targets in advance, however. This isn’t something which tends to get spammed out to hundreds of thousands of Gmail accounts, or dropped into Discord chat. If you are a high value target—perhaps if you work at a center for human rights—you might need to ponder the implications of something like Pegasus.
As Apple itself explains, these attacks cost “millions” to develop, have short lifespans, and “are not a threat to the overwhelming majority of our users”.
All the same, you should apply the fix as soon as possible. While you’re almost certainly not at risk from Pegasus, there’s a lot of other bad things out there which do target regular folks and businesses. The danger for most people is that somebody else manages to reverse-engineer this exploit into something that's used more widely.
Grab the update, and go about your business safe in the knowledge that being hit by Pegasus is now even more unlikely than it was previously.