What you need to know
- Apple says that a flaw in iOS that is exploited by NSO Group's Pegasus system is "not a threat" to most people.
- The company says it's working to add new protections "constantly."
But there's no fix for those to who it is a threat.
Following the news earlier today that journalists and other high profile people are being targeted by the Pegasus spyware, Apple has released a statement on the matter. Pegasus was reportedly able to exploit a flaw in iMessage, even on devices running iOS 14.6.
In a statement provided to the Washington Post, Apple Security Engineering and Architecture head Ivan Krstić suggested that there's no fix for the issue, but that Pegasus and similar spyware is "not a threat" to most people.
The full release reads:
Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.
While that will surely be comforting to most people, it does suggest that Apple doesn't yet have a fix for the issue that was reported earlier today. That might also suggest that the upcoming iOS 15 will also be susceptible to such a spyware attack. That's very bad news for the thousands of people who are on the hitlist collected by NSO customers.
The analysis Amnesty International conducted of several devices reveal traces of attacks similar to those we observed in 2019. These attacks have been observed as recently as July 2021. Amnesty International believes Pegasus is currently being delivered through zero-click exploits which remain functional through the latest available version of iOS at the time of writing (July 2021).
Apple released iOS 14.7 to the public today and I have to assume that doesn't have a fix for Pegasus, either. Apple would presumably have mentioned that in its note to the Washington Post if it did.