The Future Is Here
We may earn a commission from links on this page

Go Update Your iPhone, iPad, Mac, and Apple Watch Right Now

Apple released security updates in iOS 14.8, iPad OS 14.8, and macOS after Citizen Lab researchers found a dangerous, hidden exploit buried in iMessage's code.

Image for article titled Go Update Your iPhone, iPad, Mac, and Apple Watch Right Now
Photo: Mladen Antonov (Getty Images)

The headline says it all, folks. Apple just released an emergency patch to a security flaw that let NSO Group’s horrifying Pegasus spyware infect a target’s Apple devices—including their iPhones, iPads, Macs, and Apple Watches.

Are you, personally, likely to be targeted by shadowy hackers-for-hire? Probably not. But that doesn’t mean there’s a good reason to leave your Apple devices vulnerable.

Advertisement

To ensure your devices receive the update, check that you’re using iOS 14.8, iPad OS 14.8, watchOS 7.6.2, macOS Big Sur 11.6, and security update 2021-005 for macOS Catalina. According to Apple, compatible iOS and iPad OS devices include: “iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).”

Advertisement

The zero-day exploit was uncovered by security researchers at the University of Toronto’s Citizen Lab, who put out a report detailing the exploit earlier today. In Apple’s terminology, the update is known as CVE-2021-30860, and it credits Citizen Lab for finding the vulnerability.

Advertisement

Citizen Lab researchers say they stumbled on the flaw when looking into a Pegasus-infected phone that belonged to a Saudi activist, and found that NSO Group had likely exploited a so-called “zero-click” vulnerability in iMessage to get Pegasus onto the device. Unlike most low-level malware, these kinds of exploits require zero input on the user’s part—all NSO needed to do to break into this activist’s device was send over an invisible, malware-laden iMessage without their knowledge, according to the researchers. Past Citizen Lab reports have detailed NSO’s zero-click attacks on other devices, noting that in many cases, those harboring an infected device “may not notice anything suspicious” is actually happening.

Meanwhile, as Citizen Lab researcher John Scott-Railton told the New York Times, whoever is behind the exploit can do “everything an iPhone user can do on their device and more” once it’s infected. This includes tracking any texts or emails sent, any calls made, and switching on a device’s camera without the user’s knowledge. Even if those communications happen over an encrypted app, like Signal or Telegram, NSO can still harvest that data and pass it back to their clientele, the Times reports.

Advertisement

It’s worth noting that Apple hardware has moved to address problems with zero-click vulnerabilities in the past, quietly tweaking the code underlying iOS this past February in an attempt to make these hacks harder to pull off.

We’ve reached out to Apple for comment on the update and will update here when we hear back.