Over the last few days Apple has pushed out updates to the release, developer preview, and public beta versions of iOS — that's iOS 9.3.5, iOS 10 developer preview 7, and iOS 10 public beta 6. All of them, on every carrier, for every region, at the same time. It was to patch a just-discovered set of malware and spyware called Pegasus, made and sold for upwards of a million dollars by a company called the NSO Group to nation-states that wanted to surveil dissidents and journalists.

It's not something most of us, our family, friends, and colleagues, ever need to worry about. But it's something we should all stay informed about.

Okay, back up, what happened and why am I reading about this?

A human rights activist in the UAE received a suspicious text message on his iPhone, had it investigated, and as a result Apple pushed out an update to patch three 0day exploits in iOS.

From Citizen Lab:

Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a "Nobel Prize for human rights"). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising "new secrets" about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based "cyber war" company that sells Pegasus, a government-exclusive "lawful intercept" spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.

The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits ("zero-days") that would have remotely jailbroken Mansoor's stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor's phone would have become a digital spy in his pocket, capable of employing his iPhone's camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.

We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find.

So they basically did a remote jailbreak on iPhones?

Yes. If you remember back to the very early days of iOS, there was a brief time when you could jailbreak the original iPhone by tapping on a link that brought up a TIF image in the mobile Safari browser. It's nowhere nearly that easy any more, but when you're dealing with millions of lines of code, and millions of dollars, bugs will happen and ways to exploit them will be found.

Here are the details on Pegasus from Lookout:

Lookout's analysis determined that the malware exploits three zero-day vulnerabilities, or Trident, in Apple iOS:

  • CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel's location in memory.
  • CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
  • CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.

So, in this case, the attack tried to trick the receiver into clicking a link found in a message. Once it gained entry, it would escalate until it had enough control over the iPhone to begin eavesdropping on communications.

Do I have to worry about this?

This attack was being used by nation states that could afford a million dollar price tag, and targeted at specific individuals including dissidents and journalists covering dissidents. If that doesn't describe you, there's very little to worry about.

That said, just like on computers, being safe means never clicking on links you get sent over messages or emails unless you're absolutely, 100% sure they're safe. It's the exact same way you avoid phishing attacks — attempts to con you out of your log in or other private information — and the same advice that's been given for decades.

That said, it's always possible someone else found the same vulnerabilities, or now that they're public, someone else will try to exploit them. So, it's still important to update immediately.

But shouldn't I always update?

Yup. Ignore the headlines and the hyperbole about this particular update and remember to download and install all updates. Apple is always issuing security improvements, bug fixes, and performance enhancements. So, it's best practices to always make sure you're always running the latest version.

Are you sure I'm getting the update?

Absolutely! Once of the biggest advantages that comes with owning an iPhone is that Apple has made sure the company can update every modern device, on every carrier, in every region, all at once.

In this case, it goes back to 2011 devices, including iPhone 4s and up and iPad 2 and up.

All you have to do is go to Settings > General > Software Update. For step-by-step instructions:

Is Apple working to prevent this from happening again?

Apple, and every vendor, is working to make it as hard as possible for this to ever happen. They're doing it in several ways:

  1. Improving overall security. Apple continues to roll out new and better security protocols, including hardening against Javascript attacks in iOS 10. The goal is to make it more difficult to get onto iOS and if anything does get on, even more difficult to do anything once on. (If you're interested, and you haven't watched it already, check out Apple's talk at this year's Black Hat security conference for more.)
  2. Working with external security experts. Apple has recently announced a security bug bounty program to help independent researchers who find and responsibly disclose vulnerabilities in Apple's software.
  3. Reacting quickly when 0day exploits are found in the wild. Apple patched Pegasus quickly enough that the previous betas had barely shipped by the time the next versions were pushed out.

Security is all about defense in depth, and by doing all of these things, Apple makes iOS security increasingly deep.

What if I think I'm already infected?

If you think you might be a target for Pegasus, and might already be infected, you have a couple of options, including erasing your iPhone and restoring from a backup.

If you're really worried about the state of your device security, though, your best option is to buy a new iPhone from a trusted supplier and either restore a backup to that, or set up as new, sync back contact, email, and other personal information.

Wait, I have more questions!

Drop them in the comments below!

Latest And Best Prime Day Deals

The Ring Alarm security system is reaching new low prices for Prime Day
Ring Alarm home security systems

Various configurations of the Ring Alarm are discounted to their best prices yet exclusively for Prime members at Amazon through Tuesday night to help keep your home secure.

The Sonos Beam Prime Day deal includes a $40 discount and 2 $50 Amazon gift cards
The Sonos Beam Prime Day deal includes a $40 discount and $100 in Amazon gift cards
$359.00 $499.00 Save $140

That's just so much savings in one deal. You'll have to wait for the physical gift cards, but that's basically $100 to spend however you want.

Prime Day dropped this PlayStation 4 console bundle to just $250
PlayStation 4 Slim 1TB console with Marvel's Spider-Man and Horizon Zero Dawn
$249.99 $359.98 Save $110

This deal on the PlayStation 4 Slim console saves you $50 off its regular price while also including Marvel's Spider-Man and Horizon Zero Dawn Complete Edition for free. You'll just need an Amazon Prime membership to snag it.

The newest device in the Echo family, the Show 5, is now down to just $50
Echo Show 5
$49.99 $89.99 Save $40

It's only been on the market since May, but it hasn't escaped the Prime Day price cuts.

Amp up your home security with these huge Prime Day discount on nearly all Ring products
Save on Ring products today only

Whether you need a video doorbell, whole home alarm system, or some lights to brighten a dark area, Amazon has it all marked down today!

These huge price drops on the entire Galaxy S10 lineup might be one of the best Prime Day phone deals we'll see
Samsung Galaxy S10 128GB unlocked Prism Black Android smartphone
$599.99 $900.00 Save $300

We love the Galaxy S10, and we love deals. This combines two of our true loves in one!

Scour Amazon Warehouse's deals to save an extra 20% on tech and more through Prime Day
Extra 20% off Amazon Warehouse

Amazon Warehouse sells a myriad of items in varying conditions, from refurbished to open-box, used, warehouse-damaged, and more. It's a great place to snag a deal, and now Prime members can save an extra 20% off select items at checkout.

There's never been a better deal on the Ring Video Doorbell 2 than this pre-Prime Day offer
Ring Video Doorbell 2 (Certified Refurbished)
$89.99 $169.99 Save $80

Amazon is taking $80 off the certified refurbished Ring Video Doorbell 2, which lets you see and speak with visitors at your front door no matter where you are in the world.

More Prime Day Deals