Security researchers have identified a three-headed monster that could be used to record sounds, collect passwords, read text messages, record calls and track users. All iOS versions 9.3.4 and below are vulnerable.
The attack utilizes a mobile spyware product, ‘Pegasus,’ created by NSO Group — an Israeli cyber warfare company — designed to attack high-value targets. Using one of three known iOS 9.3.4 security vulnerabilities — dubbed ‘Trident’ — the exploit is capable of hijacking an iPhone or iPad with a single click.
According to Mike Murray, VP of Security Research and Response at cyber security firm Lookout:
The Trident vulnerability chain is the first that anyone’s seen of a one-click remote jailbreak of an Apple device. It’s the smoking gun active mobile threat that we’ve always known existed but didn’t yet have proof of. This demonstrates that highly resourced actors see the mobile platform as a fertile target for gathering information about targets and regularly exploit the mobile environment for this purpose.
Unfortunately, the vulnerabilities are more than a month old at this point, so it’s unclear how widespread the damage is. Security researchers at Citizen Lab and Lookout worked directly with Apple to identify, and push an emergency patch to close the vulnerabilities.
Today, Apple released an iOS update containing the patch, iOS 9.3.5.
iOS 9.3.5 follows another security patch three weeks ago, 9.3.4, that was thought to be the final iOS 9 update before the release of iOS 10 next month. The newly-discovered vulnerability led to a change of plans, and a new iOS version. The update is available now for all iOS devices.
If you’re currently running iOS 9.3.4 (or older), it’s imperative to update your device immediately.