- Embarrassing error occurs four days before new iPhone is announced
- Apple had to push out a last-minute software update – here’s how to get it
Just six weeks after releasing the last software update, Apple had to issue an urgent follow-up notice.
iOS 16.6.1, released globally on Thursday, fixes a security flaw that leaves iPhones vulnerable to “spyware” – software that steals information from a device.
The flaw was brought to Apple’s attention by the University of Toronto’s Citizen Lab, which said it was “capable of compromising iPhones without any interaction from the victim.”
In a web post about iOS 16.6.1, Apple confirmed that the new update “provides important security fixes” without providing further details, but credited Citizen Lab experts “for their support.”
Apple will announce a brand new mobile operating system called iOS 17 next week alongside the new iPhone 15.
Apple confirmed that the update “provides important security fixes,” but declined to confirm further details
How to install the “urgent” iPhone update
- On your iPhone, go to the Settings app (indicated by the gear or gear icon).
- Select “General” and then “Software Update”.
- Tap “Download and Install.”
Unfortunately, the bug is too dangerous to wait for the release of iOS 17 (expected later this month), so Apple had to quickly roll out this latest version of 16.6.
To install the urgent update, users simply need to go to their iPhone Settings and select “General” and then “Software Update.”
An iOS 16.6.1 fact box should appear with the message: “This update provides important security updates and is recommended for all users.”
Tapping “Download and Install” should initiate the update, which may take a few minutes to complete.
Apple said the update is also available for iPadOS, the operating system that runs on its iPads.
The tech giant said: “To protect our customers, Apple does not disclose, discuss or confirm security issues until an investigation has taken place and patches or releases are available.”
Apple is already expected to announce a brand new mobile operating system called iOS 17 alongside the new iPhone 15 next week. However, due to the potential dangers of the bug, the company had to quickly roll out this latest update to its current system, iOS 16
However, Citizen Lab provides many more details about the vulnerability used by cybercriminals to distribute the infamous “Pegasus” spyware developed by Israeli company NSO Group.
In a blog post, Citizen Lab said it uses an “exploit chain” method – a method that involves multiple vulnerabilities to compromise the victim step by step – but without any interaction from the victim (“zero-click”) .
“Citizen Lab immediately shared our findings with Apple and assisted with the investigation,” the research group said.
“We expect to publish a more detailed discussion of the exploit chain in the future.”
“We urge everyone to update their devices immediately.”
“This latest discovery shows once again that civil society is the target of sophisticated exploits and mercenary spyware.”
Citizen Lab also recommended that any unnamed iPhone users “who may be at increased risk due to their personalities or activities” turn on Lock Mode, Apple’s security feature that was first released last year.
Citizen Lab provides many more details about the vulnerability used by cybercriminals to spread the infamous “Pegasus” spyware developed by Israeli company NSO Group (file photo).
Citizen Lab also recommended that any iPhone user “who may be at increased risk because of who they are or what they do” turn on Lock Mode, Apple’s security feature that was first released last year
When a device is in lockdown mode, apps, websites, and features are restricted and others are completely disabled for security reasons.
For example, most message attachment types are blocked in the Messages app except images and other features such as: Some links, such as link previews, are disabled.
Lockdown mode is an optional protection for users who face “serious, targeted threats to their digital security,” such as journalists and activists, Apple said.
PEGASUS: HOW POWERFUL SPYWARE HACKS JOURNALISTS WORKS
Pegasus is a powerful “malware” – malicious computer software – developed by Israeli security firm NSO Group.
This particular form of malware is called “spyware,” meaning it is specifically designed collect data from an infected device and pass it on to third parties without the knowledge of the owner.
While most spyware programs are limited in scope and only collect data from specific parts of an infected system, Pegasus appears to be much more powerful, allowing its controller almost unlimited access and control over an infected device.
This includes access to contact lists, emails and text messages, as well as stored photos, videos and audio files.
Pegasus can also be used to control the phone’s camera or microphone to record video and audio, and can access GPS data to check where the phone’s owner has been.
In addition, it can also be used to record all new incoming or outgoing telephone conversations.
Early versions of the virus infected phones with crude “phishing” attacks that trick users into downloading the virus onto their own phones by clicking on a malicious link sent via SMS or email.
But researchers say the software has become much more sophisticated, exploiting vulnerabilities in common phone apps to launch so-called “zero-click” attacks that can infect devices without the user having to do anything.
For example, in 2019, WhatsApp revealed that 1,400 people were infected by a so-called “zero-day” bug – a previously unknown bug – in the app’s calling feature using NSO Group’s software.
Users were infected when a call was made on their phone via WhatsApp, regardless of whether they answered the call or not.
More recently, NSO has begun exploiting vulnerabilities in Apple’s iMessage software, gaining backdoor access to hundreds of millions of iPhones.
Apple says it continually updates its software to prevent such attacks, although human rights group Amnesty says it has uncovered successful attacks on even the most current iOS systems.
According to NSO Group, Pegasus can also be installed on devices that use wireless transceivers near the target or launched directly on the device if it is first stolen.