Apple Says iMessage Zero-Click Exploit Used in Pegasus Hack Is ‘Not a Threat’ to Most

BY Sanuj Bhatia

Published 19 Jul 2021

pegasus spyware iOS 14

Earlier today, it was reported that the Pegasus hack that resulted in the data leak of thousands of journalists and human rights activists was infected through the zero-click exploit in iOS 14.6’s iMessage app. Apple has now issued a statement in regards to the data leak, saying that the exploit is “not a threat to most.”

Apple’s Security Engineering and Architecture head Ivan Krstić provided a statement to The Washington Post claiming that the iMessage exploit used in the Pegasus data leak isn’t a threat to most. Though a vague statement, Apple hasn’t directly said that the hack was a result of the iMessage exploit or not.

“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Though a little bit reassuring, this doesn’t mean that iPhones are not vulnerable to Pegasus spyware. Amnesty International also says that the traces of the attack were found in iPhones that were running the “latest version of iOS available.”

“The analysis Amnesty International conducted of several devices reveal traces of attacks similar to those we observed in 2019. These attacks have been observed as recently as July 2021. Amnesty International believes Pegasus is currently being delivered through zero-click exploits which remain functional through the latest available version of iOS at the time of writing (July 2021).”

The Cupertino-based giant released iOS 14.7 to the general public today. Presumably, iOS 14.7 also does not contain the fix for Pegasus spyware otherwise Apple would have mentioned it in the release notes. Or they would have at least written “critical security bug fix” in the notes.

[Via The Washington Post]