The iPhone 13 could hit the market tomorrow, but Apple is quick to fix a major flaw on its devices with a new update to iOS 14.8, iPad 14.8, and watchOS 7.6.2, neither of which got beta testing first. While neither contains important features as you might expect in the run-up to tomorrow’s California Streaming event, these are critical security updates as they contain fixes for two system vulnerabilities.
The potentially more serious is Pegasus, an invasive spyware discovered by the Israeli NSO group. This “zero-click” exploit does not require input from the user of a phone to take effect and was specifically used against activists in Bahrain, including members of the Bahrain Center for Human Rights. By breaking through Apple’s BlastDoor security system, the ForcedEntry exploit was able to install the Pegasus spyware suite for surveillance purposes.
According to the New York Times, the spyware can infect a wide variety of Apple devices. Once infected, it can turn on your device’s camera and microphone, record messages and access texts, emails and calls, even encrypted ones.
The second vulnerability allows attackers to bypass BlastDoor, which was implemented in January to create a line of defense between the Messages app and the rest of iOS.
Messages have traditionally been the weakest link in iOS device security because Apple hasn’t been particularly good at cleaning up other users’ incoming data. At its lowest point, a bad actor was able to take control of someone else’s iPhone by sending them a specific text message or photo. BlastDoor works by filtering out incoming bad code.
According to the official patch notes, the new updates affect CoreGraphics and WebKit and fix issues related to “maliciously crafted” PDFs and web content. These problems may have been “actively exploited” according to Apple’s characteristically vague guidelines.
This ties in with the story that spread in July and August about a new hack that University of Toronto researchers called “ForcedEntry” in the Citizen Lab that defeated BlastDoor.
Significantly, Apple’s new update comes a day before its California Streaming event, which will showcase the iPhone 13 and other devices, and shortly before the expected release of iOS 15. The update from Monday could therefore be the last for iOS 14 and comes at a time when it would otherwise be easy to overlook. It reflects the importance of the update that Apple released it in the first place, rather than just kicking the can out and having it fixed with the iOS 15 rollout.
All three updates are available wirelessly at the time of writing, replacing iOS 14.7.1, iPadOS 14.7.1, and WatchOS 7.6.1.