Gaping iOS 14.6 iMessage security flaw saw journalists' iPhones infected with spyware

Ios 14 Hero Messages Mask
Ios 14 Hero Messages Mask (Image credit: Rene Ritchie / iMore)

What you need to know

  • A flaw in the way iOS 14.6 handles iMessages saw journalists, activists, and others have spyware installed on their devices.
  • This is despite iOS 14 protections that were supposed to prevent this from happening.

Journalists, activists, and other groups around the world have seen their iPhones infected with spyware without their knowledge — and without them having to tap a thing to initiate the download. The spyware, Pegasus by NSO Group, is available commercially.

According to a report by multiple news outlets as well as Amnesty International's Security Lab, commercial hacking spyware Pegasus has been found to infect thousands of devices. The report is based on a list of 50,000 phone numbers that were thought to be of interest to clients of NSO. When security experts inspected some of the devices attached to those numbers, they found infections galore.

The analysis Amnesty International conducted of several devices reveal traces of attacks similar to those we observed in 2019. These attacks have been observed as recently as July 2021. Amnesty International believes Pegasus is currently being delivered through zero-click exploits which remain functional through the latest available version of iOS at the time of writing (July 2021).

For its part, NSO says that none of this is anything to do with the company — pointing out that it doesn't have access to anything its customers collect via its software. As if that matters one jot.

NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers' targets. NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as identity of customers of which we have shut down systems.

The fact that Pegasus can be installed without the victim doing anything is of particular concern, as is the fact it still seems to be able to worm its way onto devices running iOS 14.6, as noted by MacRumors.

See more

While Apple is testing iOS 14.7 with beta testers right now, iOS 14.6 is the latest version available to everyone else. That means the best iPhone software available to the world, as of today, appears to remain vulnerable to Pegasus.

Those involved in the investigation intend to release a list of the people whose numbers appeared on the list of potential targets. It's said to include business executives, journalists, religious figures, and even government officials.

Oliver Haslam

Oliver Haslam has written about Apple and the wider technology business for more than a decade with bylines on How-To Geek, PC Mag, iDownloadBlog, and many more. He has also been published in print for Macworld, including cover stories. At iMore, Oliver is involved in daily news coverage and, not being short of opinions, has been known to 'explain' those thoughts in more detail, too.

Having grown up using PCs and spending far too much money on graphics card and flashy RAM, Oliver switched to the Mac with a G5 iMac and hasn't looked back. Since then he's seen the growth of the smartphone world, backed by iPhone, and new product categories come and go. Current expertise includes iOS, macOS, streaming services, and pretty much anything that has a battery or plugs into a wall. Oliver also covers mobile gaming for iMore, with Apple Arcade a particular focus. He's been gaming since the Atari 2600 days and still struggles to comprehend the fact he can play console quality titles on his pocket computer.