How does the vulnerability put Apple users at risk? 

The security flaw was discovered by cybersecurity researchers Citizen Lab, based in Toronto. It allows attackers to deploy what’s called a ‘zero-click exploit’ that can run silently without the owner of the device having to click on a suspect link or open a document. Once the infected files – in this case, PDF documents disguised as GIFs – are on a device, Pegasus spyware is silently installed. Once the spyware is on a device, the attackers can silently copy and steal the messages sent and received on the phone, use the camera to secretly film the phone’s owner, and eavesdrop via the microphone. While it’s very unlikely that ordinary users’ Apple devices will be targeted by Pegasus spyware, the vulnerability the researchers found has worried security experts.

Where does the spyware come from? 

Spyware that can be installed without the phone’s owner doing anything at all is highly prized by law enforcement, criminals and some governments. It means they can silently snoop on the target without them having any clue their device has been compromised. The exploit, in this case, called ‘FORCEDENTRY’, was found when the researchers analysed an iPhone belonging to a Saudi dissident, whose phone was hacked when they were sent image files containing the spyware via iMessage. Citizen Lab said that FORCED ENTRY is the latest in a string of zero-click exploits linked to NSO Group, an Israeli company best known for its Pegasus spyware. NSO Group says its products are meant to be used only to target criminals by licensed law enforcement bodies, but Pegasus is known to have been used in the past to target dissidents, journalists and human rights activists. The phones of activists in Bahrain, French journalists, and an adviser to Dubai’s Princess Latifa, who was recaptured in 2018 on a yacht on the Indian Ocean after fleeing the emirate, are among those whose phones are said to have been compromised by Pegasus spyware. Compare our Mac antivirus software package reviews.

What should Apple users do? 

A patch for the vulnerability was pushed out on 13 September 2021 by Apple, which updates iPhones to iOS 14.8, and iPads to iPadOS 14.8. Apple Watches are updated to watchOS 7.6.2, while Macs running the current Big Sur version of macOS are updated to Big Sur 11.6. Older Macs running Catalina and Mojave will receive updates to Safari version 14.1.2. Apple’s head of security, Ivan Krstić, said:

‘Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.’

If you haven’t yet updated your Apple devices this week, you should check for the update and run it as soon as possible.

What followed — outraged tweets, critical headlines and an outcry for more information — put the tech giant on defence just weeks ahead of the next iPhone launch, its biggest event of the year. It was a rare PR miscalculation for a company known for its meticulous PR efforts.

The technology at the centre of the criticism is a tool that will start checking iOS devices and iCloud photos for child abuse imagery, along with a new opt-in feature that will warn minors and their parents if incoming or sent image attachments in iMessage are sexually explicit and if so, blur them.

The concerns primarily focused on privacy and the possibility the technology could be used beyond its stated purpose, complaints that surely stung Apple, which has focused much of its marketing efforts in recent years on how it protects users.

In the week that followed the announcement, Apple went on to host a series of follow-up press conferences to clear the air and released a lengthy FAQ page on its website to address some of the confusion and misconceptions. In an interview published Friday, Craig Federighi — Apple’s senior vice president of software engineering, commented: “It’s really clear a lot of messages get jumbled pretty badly in terms of how things were understood.”

Many child safety and security experts praised the intent, recognizing the ethical responsibilities and obligations a company has over the products and services it creates. But they also called the efforts “deeply concerning,” stemming largely from how part of Apple’s checking process for child abuse images is done directly on user devices.

Ryan O’Leary, research manager of privacy and legal technology at market research firm IDC, said:

“When people hear that Apple is ‘searching’ for child sexual abuse materials (CSAM) on end-user phones they immediately jump to thoughts of Big Brother and ‘1984. This is a very nuanced issue and one that on its face can seem quite scary or intrusive. It is very easy for this to be sensationalized from a layperson’s perspective.”

Apple declined to comment on this story.

How Apple’s tool works

During the press calls, the company emphasized how the new tool will turn photos on iPhones and iPads into unreadable hashes stored on user devices. Those numbers will be matched against a database of hashes provided by the National Center for Missing and Exploited Children (NCMEC) once the pictures are uploaded to Apple’s iCloud storage service.

iPhones and iPads will create a doubly-encrypted “safety voucher” -— a packet of information sent to iCloud servers — that’ll be encoded on photos. Once a certain number of safety vouchers are flagged as a match from NCMEC’s photos, Apple’s review team will be alerted so that it can decrypt the voucher, disable the user’s account and alert NCMEC, which can inform law enforcement about the existence of potentially abusive images. Federighi later clarified that about 30 matches would be needed before the human review team is notified.  O’Leary said:

“There is rightful concern from privacy advocates that this is a very slippery slope and basically the only thing stopping Apple [from expanding beyond searching for CSAM images] is their word. Apple realizes this and is trying to put some extra transparency around this new feature set to try and control the narrative.”

In the PDF published to its website outlining the technology, which it calls NeuralHash, Apple attempted to address fears that governments could force Apple to add non-child abuse images to the hash list. It stated:

“Apple will refuse any such demands. We have faced demands to build and deploy government-mandated changes that degrade the privacy of users before, and have steadfastly refused those demands. We will continue to refuse them in the future.”

The messaging, however, comes at a time of increased distrust and scrutiny of tech firms, coupled with hypersensitivity around surveillance or perceived surveillance.

The lack of details on how the full operation would work contributed to the muddled messaging, too. When asked about the human review team on one press call, for example, Apple said it wasn’t sure what that would entail as it is still experimenting with the rollout.

Apple is far from alone in building child abuse detection tools but other major tech companies do not do so on the device itself. For example, Google and Microsoft have systems that help detect known images of child exploitation and Facebook has tested tools such as a pop-up that appears if a user searches for words associated with child sexual abuse or if they try to share harmful images.

Mary Pulido, executive director of the New York Society for the Prevention of Cruelty to Children (NYSPCC), called these technologies important, noting they can “help the police bring traffickers to justice, accelerate victim identification, and reduce investigation time.” She’s also in the camp that believes “protecting children from any potential harm trumps privacy concerns, hands down.”

Where Apple went wrong

While no one is disputing Apple’s motivation, Elizabeth Renieris, professor at Notre Dame University’s IBM Technology Ethics Lab, said the timing was “a bit odd” given all of its privacy-focused announcements at its Worldwide Developer Conference in June. Apple declined to share why the new tool was not presented at WWDC.

Renieris also said Apple erred by announcing other seemingly related though fundamentally different updates together.

The new iMessage communication feature, which has to be turned on in Family Sharing and uses on-device processing, will warn users under age 18 when they’re about to send or receive a message with an explicit image. Parents with children under the age of 13 can additionally turn on a notification feature in the event that a child is about to send or receive a nude image. Apple said it will not get access to the messages, though people still expressed concerns Apple someday might do so. O’Leary said:

“By mixing it in with the parental controls it made the announcements seem related. These are different functionalities with different technology.”

Big names in tech added fuel to the fire. Everyone from Edward Snowden to Will Cathcart, head of WhatsApp, which is owned by Facebook, publicly criticized Apple on Twitter. Cathcart said it was “troubling to see them act without engaging experts that have long documented their technical and broader concerns with this.”

Some security experts like former Facebook chief security officer Alex Stamos said Apple could have done more, such as engaging with the larger security community during the development stages.

Threading the needle of protecting user privacy and ensuring the safety of children is difficult, to say the least. In trying to bolster protections for minors, Apple may have also reminded the public about the potential control it can wield over its own products long after they’re sold.

Nuspire, a leading managed security services provider (MSSP), announced the release of its 2020 Q4 and Year in Review Threat Landscape Report. Sourced from its 90 billion traffic logs, the report outlines new cybercriminal activity and tactics, techniques and procedures (TTPs) with additional insight from its threat intelligence partner, Recorded Future. Craig Robinson, a Program Director, Security Services at IDC said:

“The volume of sophisticated attacks seen throughout 2020 highlight the criticality of business intelligence and cybersecurity detection and response to improving organizational cyber readiness. Nuspire’s latest report puts into perspective the changing nature of cyberattacks. Security leaders must be ready for unexpected situations, consistently revisiting and revamping their cybersecurity strategies.”

2020 was a chaotic year that shifted the threat landscape and changed the way many organizations manage their business operations. In addition to increasingly sophisticated and frequent attacks, Nuspire security experts observed a massive spike in malware with Visual Basic for Applications (VBA) agent activity, which overshadowed all other malware variants identified throughout the year. John Ayers, Nuspire Chief Strategy Product Officer added:

“The SolarWinds attack shook the cybersecurity community to its core and should serve as a reminder to organizations small or large that security must be a priority within every aspect of the business. As attack techniques continue to evolve and the frequency of attacks increases, it’s critical for business success to understand the changing threat landscape and how to protect themselves from cyberthreats.”

During Q4 security experts uncovered a 10,000% increase in ransomware activity—the largest spike in activity Nuspire has observed to date. Ransomware operators targeted some of the most vulnerable moments in time, including the U.S. Presidential Election, the holidays, and continued to leverage year-long themes, such as the COVID-19 pandemic. Additionally, exploit attacks saw a whopping 68% increment this quarter as a result of numerous SMB brute force login attempts.

Additional notable findings from Nuspire’s 2020 Q4 and Year in Review Threat Landscape Report include:

Although malware activity was on a slow decline at the beginning of 2020, activity sharply increased in Q4, reaching its highest point through the year in September. VBA Trojans were the most commonly observed malware at 95%, suggesting either numerous malspam campaigns were launched or a large-scale one was instigated by unknown operators. Nuspire expects that VBA agent activity will continue to overshadow other variants as VBA is the first stage of infection.

• Throughout 2020, Nuspire observed a consistent increase of exploitation events with DoublePulsar reigning as the top utilized technique. However, Q4 saw the largest volume of activity in December with SMB Login Brute Force attempts, closely followed by HTTP Server Authorization Buffer Overflow attacks.
• Botnet and Exploit activity remained fairly consistent throughout the year with the largest contenders being ZeroAccess Botnet, which made a significant appearance in May, and DoublePulsar staying at the top of the exploit activity list in 2020.
• In Q4, attackers increased attempts to exploit new vulnerabilities as they were disclosed. This escalation was driven by the release of a known vulnerability in over 49,000 Fortinet devices on the dark web and APT groups – which also targeted the SSL-VPN vulnerability (CVE-2018-13379). Shortly after this list was released, activity attempting to exploit this vulnerability increased by 4,176%.