EXECUTIVE SUMMARY:
Your iPhone may remain vulnerable to a series of exploitable remote code execution flaws. If you haven’t already updated your device, update now. The risk to enterprises is rated as high. Apple patched 40 bugs, but Pegasus spyware remains a threat.
Apple recently announced the existence of a ream of code-execution vulnerabilities within its iPhone products. A handful of these can be easily exploited. Experts recommend updating to version 14.7 of iOS and 14.7 for iPadOS as soon as possible.
Despite the updates, your phone may still be vulnerable to Pegasus spyware. The NSO Group has continued to exploit loopholes and to perpetuate Pegasus. This episode has led the security community to reevaluate the security of Apple’s closed ecosystem.
iPhones are commonly favored by politicians, journalists, activists and others who may represent prime targets for spyware campaigns. Can Apple’s security bear the weight of protecting these highly targeted members of society?
The grey market for exploitable iPhone bugs is tremendous. An iOS bug might churn as much as $1 million. Buyers may range from governments to hacking collectives.
Pegasus security: iPhone updates
The latest suite of updates address 40 vulnerabilities total. Of these, 37 reside within iPhones. The most daunting of flaws could lead to arbitrary code execution with kernel or root privileges.
In addition to limiting iPhone vulnerabilities, recent updates addressed bugs in macOS Big Sur 11.5 and in macOS Catalina. At present, security researchers have not received information concerning any of these vulnerabilities undergoing active exploit in the wild.
Pegasus spyware and business risk
According to MS-ISAC, the Multi-State Information Sharing and Analysis Center, the newly discovered Apple bugs present a sizable risk to large and medium-sized businesses and government entities. Risk levels for these groups are considered high. The risk to individual home users is low.
WebKit: iPhone flaws
Four of the recent iOS and iPad security updates are in WebKit. This is the engine that supports the Apple Safari browser. If exploited, any of the WebKit flaws could have led to arbitrary code execution, although a user would have first had to download malicious files or content.
Pegasus security: How to check for Pegasus spyware
Wondering if your phone has been compromised? It’s unlikely, but possible. Pegasus spyware campaigns are typically highly targeted. Forbes states that “…you only have to worry if you are a business leader, journalist or dissident or close to someone…in an oppressive regime.”
The NSO Group, which is behind Pegasus software campaigns, asserts that Pegasus spyware is only used on criminals. However, Pegasus spyware is believed to have been on the phones of journalists associated with Jamal Khashoggi, who was murdered in 2018. Here’s how to find out if Pegasus spyware has hit your iPhone.
- Apps, such as iVerify 20.0, can provide you with real-time information about traces of Pegasus on your phone. These kinds of apps can also offer tips about how to stay secure. iVerify is Apple approved.
- Amnesty International offers a Pegasus spyware detection tool. It’s available on GitHub. This tool may be a bit of a challenge to use for those who aren’t especially technical.
Pegasus spyware targets number fewer than 50,000, total. However, everyone should aim to keep phones free of malware, spyware and similar software. To prevent Pegasus from hitting your phone, ensure that you apply Apple’s software updates as they become available.
In select instances, shutting down and restarting a phone can remove Pegasus, as a criminal may only have temporary access. Should you perceive yourself as a Pegasus target, you may want to remove iMessage from your device.
For past Cyber Talk coverage concerning Pegasus spyware and Pegasus security, click here. To sign up for our newsletter, subscribe here.
