NEW YORK • Apple has issued emergency software updates for a critical vulnerability in its products after researchers uncovered a flaw that allows highly invasive spyware from Israel's NSO Group to infect anyone's iPhone, iPad, Apple Watch or Mac computer without so much as a click.
Apple's security team had worked round the clock to develop a fix since Tuesday last week, after researchers at The Citizen Lab - a cyber-security watchdog organisation at the University of Toronto - discovered that a Saudi activist's iPhone had been infected with an advanced form of spyware from NSO.
The spyware, called Pegasus, used a novel method to invisibly infect Apple devices without victims' knowledge.
Known as a "zero-click remote exploit", it is considered the holy grail of surveillance because it allows governments, mercenaries and criminals to secretly break into someone's device without tipping off the victim.
Using the zero-click method, Pegasus can turn on a user's camera and microphone and record messages, texts, e-mails and calls - even those sent via encrypted messaging and phone apps like Signal. It can then send them back to NSO's clients at governments around the world.
"This spyware can do everything an iPhone user can do on their device and more," said The Citizen Lab's senior researcher John Scott-Railton, who teamed up with his colleague Dr Bill Marczak, a senior research fellow, on the finding. The discovery means that more than 1.65 billion Apple products in use worldwide have been vulnerable to NSO's spyware since at least March.
In the past, victims learnt that their devices were infected by spyware only after receiving a suspicious link texted to their phone or e-mail, and sharing the link with journalists or cyber-security experts. But NSO's zero-click capability meant victims received no such prompt.
On Monday, Apple's head of security engineering and architecture Ivan Krstic commended The Citizen Lab for its findings and urged customers to run the latest software updates for the fixes to take effect, by installing iOS 14.8, MacOS 11.6 and WatchOS 7.6.2.
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals," Mr Krstic said.
Mr Scott-Railton urged Apple customers to run their software updates immediately, saying: "Do you own an Apple product? Update it today."