This week, Apple fixed a major security vulnerability that allowed spyware to enter iPhones and iPads, using “zero-click” attacks.
These are deployed in devices without even the owner having to click on a link. How do they work and what can be done to stop them?
“Zero-click attacks are a threat of a higher level” than traditional attacks, explains John Scott-Railton, researcher at Citizen Lab, the center for cybersecurity at the University of Toronto which discovered the flaw at Apple.
Classic spyware requires that the person targeted by the attack click on a link or a trapped file to install the program on their phone, tablet or computer. On the contrary, during a zero-click attack, the software sneaks into the device without the target having to click on any link.
A crucial technique for potential spies, at a time when users are increasingly suspicious of the messages they receive.
The zero-click attacks exploited a flaw in Apple’s iMessage messaging service to quietly install Pegasus, invasive software capable of turning a phone into a mini cookie.
In July, some governments were accused of using the software to spy on human rights defenders, businessmen and politicians, sparking a global scandal.
The answer is simple: “No”, asserts Scott-Railton. “There is nothing there is anything that users can do to protect themselves against these attacks and there will be nothing to tell you that you are infected.”
The group also announced the resolution of the problem just a week after the Citizen Lab revelations on September 7.
Reactivity “very rare, even for a large company,” says Scott-Railton, who urges Apple users to install the software update released by the tech giant on Monday.
Already in 2019, Pegasus used loopholes in WhatsApp messaging to carry out zero-click attacks.
For Scott-Railton, the ubiquity of these applications makes them tempting targets for the Israeli company NSO, the origin of Pegasus.
“In any phone there is a good chance that a messaging app is installed,” he explains. “Infecting phones via messaging is therefore a simple and effective way to achieve your ends.”
Messaging applications are “a very important target for hacking operations, whether carried out by states or by private actors like NSO”, adds Scott-Railton.
For Vivien Raoul, CTO of cybersecurity company Pradeo, the discovery of the iMessage flaw is “a good start to shrinking Pegasus’ front doors, but it won’t be enough to stop it.”
Malware designers will look for potential weaknesses in other popular apps, inevitably involving the discovery of flaws from time to time, related to their high complexity, experts warn.
However, Google’s Android and Apple’s iOS operating systems “regularly correct a large number of vulnerabilities,” said Vivien Raoul.
NSO, which has former senior Israeli military intelligence officers in its ranks, has considerable resources to investigate these weaknesses, while hackers also sell it dark web access.
The same, but better, without surprises or noticeable evolution: thus is born, in the shadow of the spectacular character of the keynotes of a few years still, the family of iPhone 13 of Apple, which has just been announced. .
Apple said on Monday that it had fixed a computer flaw that the controversial Pegasus software, from Israeli company NSO, was able to exploit to infect branded devices without the user even clicking a trick link or button.
The race for password replacement is in full swing, with biometrics emerging as one of the most sought-after solutions.
Copyright © La Libre.be 1996-2021 Ipm sa – IPM | This site is
protected by copyright