Apple's Emergency Patch For NSO Hack

Apple has released an emergency software patch to fix a security vulnerability that researchers have said allows hackers to directly infect iPhones and other Apple devices without any user action. Apple was not aware of the attack until researchers found evidence of it on a Saudi activist's phone. The  patch is to fix a major vulnerability in iMessage.

Security researchers found the vulnerability when they were investigating the potential hack of a Saudi activist’s iPhone, says Citizen Lab, a digital rights group housed at the University of Toronto's Munk School that has been analysing the Israeli NSO Group spyware. 

Malicious image files were transmitted to the activist’s phone via the iMessage instant-messaging app before it was hacked with NSO’s Pegasus spyware, which opens a phone to allow spying and remote data theft. “While analysing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, we discovered a zero-day zero-click exploit against iMessage...  
The exploit, which we call FORCEDENTRY, targets Apple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.”

Pegasus is a powerful spyware that is capable of turning on a target’s camera and microphone to record messages, texts, emails, and calls, even if they’re sent via encrypted messaging apps. 

“We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware. We believe that FORCEDENTRY has been in use since at least February 2021” says Citizen Lab.

Researchers believe the attack was carried out by a customer of NSO, the infamous Israeli company that sells spyware to dozens of governments all over the world. 

The hack relied on an unknown vulnerability, also known as a zero-day in iMessage, which allowed the hackers to take over a target’s phone by sending them a message that was effectively invisible. These kinds of attacks are called zero-click exploits, as they don’t require the victim to click on anything.  The breach was significant because the flaws exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May. But the exploit broke through new iPhone defences that Apple had embedded into iOS 14, named BlastDoor, which were supposed to prevent silent attacks by filtering potentially malicious code. 

Zero click remote exploits are used to  infect a device without the victim’s knowledge or the need for the victim to click on anything at all and can be used to infect victim devices for as long as six months. They are principally used by governments, mercenaries and criminals who want to secretly monitor targets’ devices undetected.

Citizen Lab:    Vice:    The Register:    Flipboard:     Independent:      Threatpost:     Times Colonist:   

Image: Unsplash

You Might Also Read: 

The Spycraft Revolution:

 

« CYRIN Webinar - Stop Ransomware In Its Tracks
National Cybersecurity Failings: How Businesses Can Improve Their Security »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Pluralsight

Pluralsight

Pluralsight helps enterprises build technology skills at scale with expert-authored courses on today’s most important technologies including information and cyber security.

Information Commissioner's Office (ICO)

Information Commissioner's Office (ICO)

The Information Commissioner's Office is an independent authority set up to uphold information rights in the public interest.

CYBERSEC Forum

CYBERSEC Forum

CYBERSEC Forum is an annual European Public Policy Conference dedicated to strategic aspects of cybersecurity.

Global Security Network (GSN)

Global Security Network (GSN)

GSN focuses on specialized IT Security solutions & services for the military, law enforcement, critical infrastructure and oil & gas sectors in the Middle East.

Cyberlitica

Cyberlitica

Cyberlitica (formerly iPhish) provides a Workforce Threat Intelligence application that significantly augments companies’ cyber threat prevention efforts.

NITA Uganda (NITA-U)

NITA Uganda (NITA-U)

NITA-U has put in place the Information security framework to provide Uganda with the necessary process, policies, standards and guideline to help in Information Assurance.

Soffid

Soffid

Soffid provides full Single-Sign-On experience and full Identity and Access Management features by policy-based centralised orchestration of user identities.

ControlMap

ControlMap

ControlMap is a software as a service platform with a mission to simplify and eliminate stress from everyday operations of modern IT compliance teams.

Evina

Evina

Evina offers the most advanced cybersecurity and fraud protection for mobile payment.

Tugboat Logic

Tugboat Logic

Tugboat Logic was created to address the skills and expertise gap in the security and compliance industry. Our goal is to simplify and automate information security management for every enterprise.

Pessimistic Security

Pessimistic Security

The team behind Pessimistic helps blockchain startups meet modern security challenges since 2017.

Computacenter

Computacenter

Computacenter is a leading independent technology partner, trusted by large corporate and public sector organisations. We help our customers to source, transform and manage their IT infrastructure.

Bastion Technologies

Bastion Technologies

All your cyber defense. One platform. Keep your business assets and employees safe under one roof. Manage your cyber defense quickly, easily & efficiently.

Liquis Inc.

Liquis Inc.

Liquis, founded in 2002, is one of the largest facility decommissioning services companies in the U.S.

42Crunch

42Crunch

42Crunch provides API security testing and threat protection. We proactively test, fix and protect your APIs from development to runtime.

Awareness Software Limited (ASL)

Awareness Software Limited (ASL)

As Hosting Specialists, Awareness Software offer practical and affordable hosting solutions including backup and disaster recovery and a range of cybersecurity services.