Apple works hard and expends a ton of resources to bolster iPhone security. Still, there’s no denying that mobile device security is often a game of cat-and-mouse, with Apple security engineers often responding to newly unearthed security loopholes and zero-day exploits as they arise.
So while Apple routinely issues iOS security updates, the release of iOS 14.8 about a week ago is unique. The iOS 14.8 update fixes a security vulnerability that would allow a malicious actor to have full access to everything on your phone. Suffice it to say, if you’re still running an older version of iOS 14, you should update to iOS 15 immediately.
A sophisticated iPhone security exploit
The exploit in question reportedly comes from the NSO Group, an organization responsible for some of the most advanced and sophisticated iPhone spyware ever created. The exploit itself can easily infect iPhones, iPads, Macs, and even Apple Watches. The spyware is known as Pegasus, but security researchers call it FORCEDENTRY.
Once the spyware infects a device, it keeps tabs on everything. Pegasus can monitor all sorts of data. That list includes phone calls, browser history, photos, emails, and messages sent and received via text, Facebook, WhatsApp.The spyware can also track your location and turn on your microphone for recording.
How the spyware spreads
Previous iterations of Pegasus from the NSO Group required a target to click on a link. The latest version, however, is far more sophisticated. The current incarnation of Pegasus can infect a device with absolutely no action from the target.
The New York Times reveals that one attack vector simply involved sending a target a photo. This photo then took advantage of “the way that Apple processes images and allowed the Pegasus spyware to be quietly downloaded onto Apple devices.”
The full Citizen Lab security report regarding Pegasus is viewable over here.
Apple’s iPhone bug bounty program
On a related note, it’s worth mentioning that some security researchers aren’t happy with Apple’s bug bounty problem. According to some security researchers, Apple doesn’t always pay out what it owes. Further, some Apple employees said that there’s a backlog of bugs that Apple needs to sift through.
The Washington Post reports that Apple’s “insular culture has hurt the program and created a blind spot on security.”
It’s quite common for tech companies to pay researchers who unearth security vulnerabilities. Apple’s bug bounty program, however, only started a few years ago. Additionally, the payment tiers at Apple are lower than they are at other tech companies.