Apple has urged users to update devices after researchers identified a “zero-click” loophole affecting the iMessage service.
The security flaw affects all Apple devices including iPhones, iPads, Apple Watches and Mac computers according to researchers from the University of Toronto Citizen Lab.
The team found that malicious PDF files and web addresses sent over messenger could force entry onto iPhones and install spyware without the links being clicked.
In a message released yesterday Apple announced its iOS 14.8 and iPadOS 14.8 updates would fix the flaw which lets a “maliciously crafted PDF” execute code on user devices. The statement said, “Apple is aware of a report that this issue may have been actively exploited.”
According to Citizen Lab the spyware was developed by NSO Group, an Israeli firm which sells sophisticated surveillance tech to governments worldwide.
The researchers discovered the Pegasus spyware on the phone of a Saudi activist and said they had encountered the technology multiple times before in cyber attacks targeting the Whatsapp messaging service.
“Our finding also highlights the paramount importance of securing popular messaging apps,” said the researchers. “Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them.”
Steve Turner, an analyst from Forrester, commented on the news. He said, “users of the largest tech giants’ products will unfortunately always be a target, whether it be a laptop running Microsoft Windows or a smartphone like the Apple iPhone running iOS.”
“Security vigilance is required for all the various tech we depend on or enjoy within our homes and businesses,” he added.
The revelation comes as Apple prepares for its iPhone 13 launch event later today.
Read more: Epic Games to appeal ruling in Apple case