Earlier this year it was revealed that Apple is using a new technique in iMessage to make the chat service more secure. BlastDoor ensures that the iPhone processes incoming messages in an extra safe environment. This prevents a malicious message from gaining traction over the rest of the operating system. It now appears that this system is not yet watertight, because at least iOS 14.6 appears to have a vulnerability. This makes the iPhone susceptible to spyware. It concerns the Pegasus spyware, which can read messages, emails and media.
Pegasus spyware in iOS 14.6 due to vulnerability iMessage
Amnesty International, among others, investigated the use of the spyware Pegasus of the Israeli company NSO Group. According to NSO, Pegasus is used to track criminals and terrorists, but Amnesty International, among others, obtained a list of 50,000 telephone numbers that may have been targeted by governments that use Pegasus. As a result, Amnesty decided to investigate dozens of phones and it turned out that 37 phones belonging to journalists and activists, among others, were infected or that attempts had been made to install the spyware Pegasus. Security researcher Bill Marczak discovered that this includes iPhones.
(1) @AmnestyTech saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at @citizenlab also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.
— Bill Marczak (@billmarczak) July 18, 2021
This is a so-called zero-click exploit in iMessage in iOS 14.6, which allows spyware to be installed without user action (such as opening a link). So infecting iPhones is done via iMessage, but it is not entirely clear how many iPhones are affected. In any case, it is possible in iOS 14.6, the most recent iOS version at the time of writing. It is not yet known whether Apple is working on a solution.
It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain't solving.
— Bill Marczak (@billmarczak) July 18, 2021
You can do this
Apple will soon release iOS 14.7, presumably this week. There is certainly a chance that Apple will fix the vulnerability in this version. Apple may also choose to release iOS 14.7.1 soon, if more time is needed to plug the leak. The chance that your iPhone will be affected seems very small. The Pegasus spyware is mainly used on (international) journalists and people who are in the crosshairs of governments. But nevertheless, it's important that iPhones are secure. Although NSO Group claims that Pegasus is only used to track criminals and terrorists, it can also be misused to track innocent people. So it's important to keep your iPhone and other devices up to date with the latest software updates. Apple regularly fixes security vulnerabilities. As soon as an update is ready for your iPhone, you will of course read it on iCulture.
In the past, Pegasus was also used on iPhones, but then closed the leak in an iOS update.