Apple is pushing out a software update after researchers discovered a major vulnerability on the phone of a Saudi activist that allowed Israel's NSO Group to access Apple users' devices, even if those users didn't click on anything. The vulnerability, which was first discovered by researchers at the University of Toronto's Citizen Lab and which Apple confirmed to The New York Times, affects Apple iOS, MacOS and WatchOS.
In their report, the Citizen Lab researchers named the NSO Group exploit ForcedEntry. "We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware," the researchers wrote, noting that they alerted Apple to the vulnerability. "We believe that ForcedEntry has been in use since at least February 2021."
According to the researchers, the vulnerability in Apple's software allowed the NSO Group to infect Apple devices with spyware known as Pegasus. "This spyware can do everything an iPhone user can do on their device and more," John Scott-Railton, one of the Citizen Lab researchers told the Times.
In a statement to Protocol, Apple's head of security engineering and architecture, Ivan Krstić, said the company had "rapidly developed and deployed a fix in iOS 14.8 to protect our users" and commended Citizen Lab for "obtaining a sample of this exploit."
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals," Krstić said. "While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."
This story has been updated with comment from Apple.