A day before Apple is expected to release iOS 15 and other new software versions alongside the iPhone 13 launch, the company released iOS 14.8 as an emergency update to fix an exploit that allowed spyware reportedly like that used by the Israel-based NSO Group to infect iPhones, Apple Watches, and Mac computers without users needing to click on anything.
The exploit is serious enough for Apple to have been sprinting to fix it since the company was alerted to it last Tuesday by Canadian cybersecurity firm Citizen Lab, per the New York Times. In addition to iOS 14.8, Apple released iPadOS 14.8, watchOS 7.6.2, and macOS Big Sur 11.6, which users are advised to download immediately. It’s unclear if the exploit affects beta versions of upcoming software like iOS 15 (we’ve reached out to Apple to confirm).
The spyware, called Pegasus, quietly downloaded PDF files (intentionally mislabeled as .gif images) to users’ devices without their permission – and unlike other malicious code, without needing users to click on suspicious links or manually download files. Thus, this type of ‘zero click’ exploit is even more dangerous, potentially existing on devices for months without the owners noticing.
Once the PDFs got on a device, Pegasus could activate cameras and microphones, record messages and other communications (even if encrypted) and forward that info back to the cybersurveillance firm NSO Group – and conceivably, its clients.
Analysis: Update iOS 14? In our moment of iOS 15 triumph?
If anything sells the importance of the iOS 14.8 update, it’s that Apple chose to rush it out ahead of iOS 15, which we’re expecting to arrive on September 14 or shortly thereafter following the iPhone 13 launch. Given that every phone running iOS 14 (iPhone 6S and newer) will be able to download the new iOS 15, it’s telling that Apple pulled out the stops to make it available – and didn’t even beta test it, per 9to5Mac.
To be clear, the iOS 14.8 update is undoubtedly much smaller than iOS 15, and the same is true for the minor updates coming to iPadOS, watchOS, and macOS – so hopefully that makes it easier for folks to swallow.
As previously mentioned, it’s unclear if this exploit worked on iOS 15 public beta and other early versions of other device software; since we haven’t seen similar spyware-blocking updates for the iOS 15 and iPadOS 15 betas, we’d guess not. But Apple is getting wise to this type of exploit: the company confirmed to the New York Times that it’s adding spyware barriers to its next iOS 15 update later this year.