Are iPhone and iOS really safe? New zero-day vulnerability completely puts an end to the "myth"

The Washington Post reported that many people thought their iPhones were absolutely safe, but the latest research shows that three previously unknown "zero-day vulnerabilities" have existed in Apple's mobile operating system iOS for many years, and in fact Apple users are always at risk.

The latest report released by Citizen Lab, affiliated with the Munk School of Global Affairs at the University of Toronto in Canada, and Lookout, a mobile security company in San Francisco, California, USA, shows that a type of spyware can exploit three "zero-day vulnerabilities" that have existed in the iOS system for many years and help take over the user's smartphone by tricking the iPhone user into clicking on a link in a text message.

"This is the most sophisticated spyware we've ever seen specifically targeting mobile phones," said Mike Murray, vice president of security research at Lookout. Researchers have linked the spyware to the Israeli company NSO Group, which was acquired by U.S. private equity firm Francisco Partners in 2014 and has developed spyware that has been used to target journalists and activists.

Apple released a patch on Thursday and said in a statement: "We recommend all users download the latest version of iOS to protect themselves from potential security vulnerabilities." But the spyware highlights the fact that even technology companies with strong security reputations still find it difficult to compete with a powerful market flooded with hacking tools that give governments powerful digital surveillance capabilities.

The spyware for Apple's iOS system was first found on the iPhone 6 of Ahmed Mansoor, a democracy activist in the United Arab Emirates, who received two text messages promising to reveal the "secrets" of tortured prisoners in UAE prisons. Mansoor immediately became suspicious, saying that he was often targeted by the government using malware. Every time they got new spyware, they would try it on him.

Instead of clicking the link in the message, Mansoor forwarded it to researchers at Citizen Lab, who worked with security experts at mobile security company Lookout to confirm Mansoor's fears: If he had clicked the link, attackers could have taken over his phone.

Citizen Lab believes that the UAE government may be behind the attack on Mansoor's phone, but it cannot provide evidence. The UAE has not yet responded to this. However, NSO Group has introduced the spyware used against Mansoor in a brochure. It is called Pegasus and allows hackers to remotely track the target device invisibly and obtain complete data from it.

In addition, the Citizen Lab found that a Mexican journalist who was responsible for reporting on corruption scandals was also targeted by spyware. He also received a text message containing a specific link that seemed to be related to a well-known Mexican news media. The Citizen Lab has not yet been able to identify the specific attackers in this case, but they believe that the evidence indicates that the Mexican government is behind the attack. The Mexican government has not commented.

Apple immediately worked to fix the vulnerability after Citizen Lab and Lookout issued the warning. Mansoor was attacked on August 10 and 11, and Apple was able to provide a solution within 10 days of being notified. But details from the spyware show that it has been used for many years. The danger to ordinary users is very limited because NSO Group says it only sells its spyware to government agencies.

A spokesperson for NSO Group said in a statement that they were not aware of Mansoor or the Mexican journalists, and did not run any malware systems themselves. The company has signed agreements with customers requiring their products to be used only in a legal manner. Specifically, these products can only be used to prevent and investigate crime.

But past research has shown that some government agencies use this spyware to spy on opponents and journalists. As recently exposed NSA documents show, malware that relies on unpatched vulnerabilities can endanger public safety if the vulnerabilities are exposed. Governments and companies like NSO Group that develop hacking tools instead of reporting vulnerabilities to developers can also threaten the security of all users because they can't be sure whether others will discover the same problem.

Apple devices are known for being secure, and the company even went to court with the FBI over the iPhone of Jamie, the San Bernardino shooter. But the FBI ultimately decrypted the phone without Apple's help, reportedly paying professional hackers more than $1 million for help. Apple has always been a leader in secure consumer products, in part because the company has a tight grip on the iPhone platform. But that also attracts more hackers who want to break into Apple products.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.