Apple wants you to update your iPhone, Mac, and Apple Watch after it fixed a software flaw that let hackers spy without anyone clicking a link
- Apple has fixed a flaw that was letting hackers spy on devices without users even clicking a link.
- The zero-click hack gave access to device cameras, microphones, and messages without users knowing.
- Apple is telling users to update their iPhones, Macs, and Apple Watches immediately to protect them.
Apple is warning users to update their devices as soon as possible after it fixed a major spyware flaw.
The company has released emergency software updates in iOS 14.8 after learning of a vulnerability that let hackers break into Apple devices without users even clicking a link, The New York Times reports.
"Apple is aware of a report that this issue may have been actively exploited," the company said on its website Monday.
The Canadian academic research group The Citizen Lab published a report Monday saying it had uncovered a zero-day, zero-click exploit affecting iPhones, Macs, and Apple Watches. The lab says the flaw allowed the Israeli spyware company NSO Group to remotely infect Apple devices. Because users don't even have to click a link for the spyware to start working, they won't even know their devices have been infected.
"After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users," said Ivan Krstić, head of Apple Security Engineering and Architecture, in a statement to Insider. "We'd like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."
Known as Pegasus, the spyware can record texts, emails, and phone calls and share them with NSO Group's government clients worldwide, The Times reports. It can also turn on devices' cameras and microphones.
"This spyware can do everything an iPhone user can do on their device and more," the Citizen Lab researcher John Scott-Railton told The Times.
The Citizen Lab said it discovered the exploit, which it calls Forced Entry, in March while examining the phone of a Saudi activist who had been hacked with the spyware. The lab believes Forced Entry has been at work since at least February.
NSO Group was also found to be using zero-click attacks earlier this year. In July, Amnesty International found that military-grade spyware from NSO Group was used to hack the iPhones of dozens of journalists, activists, and executives.
Apple did not immediately respond to requests for comment.
A representative for NSO Group emailed the following statement: "NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime."