Apple is about to unveil the iPhone 13 during its September 14th media event. It will also release iOS 15 soon after that. As usual with iPhone announcements, the next-gen iOS release will be available on older iPhone models, going back to the iPhone 6s. But Apple surprised iPhone users on Monday with an unexpected iOS 14.8 update that rolled out directly to all supported devices, bypassing beta testing. Apple explained iOS 14.8 “provides important security updates and is recommended for all users.” It turns out that iOS 14.8 fixes a critical zero-day attack that is part of NSO’s infamous Pegasus family, and you should update your iPhone as soon as possible.
The Pegasus hacks targeting iPhones
Security and privacy have been core features of Apple products for years. The company has always explained why it thinks security and privacy are essential iPhone and Mac features, turning them into marketing weapons as well. This didn’t stop security researchers from looking for weaknesses that they could exploit to hack iPhone and Mac devices. If anything, Apple’s increased focus on data security turned the hunt for iOS exploits into a very lucrative business.
Earlier this year, the Pegasus hacks made the news. Reports explained that the Israeli NSO Group developed the Pegasus hacks for law enforcement agencies. The company developed the tools to allow governments to spy on targets using Apple devices like iPhone and Macs. The sophisticated Pegasus attacks also avoid detection. They help attackers spy on a target and need only a single message to be deployed.
The iOS 14.8 release is a security update that patches a Pegasus vulnerability. While Apple did not name the exploit in its documentation, the company confirmed to The Washington Post that the iOS 14.8 release is in response to the newly found Pegasus hack.
Separately, Citizen Lab researchers published a blog post on Monday explaining a new hack called FORCEDENTRY. The researchers explained that iOS 14.8 patches the vulnerability, ensuring attackers can’t spy on targets using this Pegasus attack.
What the iOS 14.8 update does to protect your iPhone
Ivan Krstic, head of Apple security engineering and architecture, thanked Citizen Lab for finding the exploit in the wild.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix,” Krstic told The Post. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Citizen Lab found the FORCEDENTRY attack in March 2021 while examining the phone of an unnamed Saudi activist. They found that the attackers sent the target 28 copies of an identical GIF file. That wasn’t really a GIF, however, but a 748-byte Adobe PSD file.
The attackers sent the files over iMessage, which allowed them to gain access to the phone. The victim didn’t even have to tap on anything to enable to exploit. Once the malicious code runs, it can remotely send information to the attackers. This includes camera and microphone recordings, location data, messages, call logs, and emails.
Citizen Lab determined that the technology was similar to Pegasus. Therefore, this was likely the work of the NSO Group. The security company forwarded the findings to Apple on September 7th. Apple then rolled out the iOS 14.8 fixes about a week later.
It’s not just the iPhone
Citizen Labs told The Post that the company wouldn’t have discovered FORCEDENTRY had it not been used against somebody in the wild.
NSO Group did not address the new findings or the iOS 14.8 update. The Israeli company told The Post that it “will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.” Despite NSO’s claims, previous reports found that some entities had used the iPhone hacking Pegasus software to target dissidents, journalists, and activists.
In addition to updating your iPhone to iOS 14.8, you should also install the latest iPadOS 14.8 update on the iPad. Additionally, make sure you get the macOS 11.6 and watchOS 7.6.2 security updates that Apple released on Monday. These software releases also patch the same Pegasus threat.