The advisory comes amid controversial revelations on the Pegasus spyware which can reportedly infect phones and collect data using zero-click exploits.
The Indian Computer Emergency Response Team on Wednesday issued an advisory asking Apple users to update their iOS, iPadOS, and macOS to patch a vulnerability that could be exploited with a “maliciously crafted application” to hijack users’ devices and gain elevated permissions on them. “A vulnerability has been reported in Apple iOS and iPadOS which could be exploited by a remote attacker to execute arbitrary code and gain elevated privileges on a targeted system,” the advisory said.
Why it matters? It is unclear if this update, version 14.7.1 for iOS users, fixes an exploit used by the NSO Group’s Pegasus spyware, which has been reported to be used by multiple countries, including India, to hijack users’ phones and spy on their phones’ contents and commandeer their mic and camera. However, such exploits, as the Pegasus Project shows, have incredibly worrying consequences for iOS users, especially those who don’t update their phones very often. Additionally, if this is indeed the vulnerability that CERT-In has published its advisory on, it is a curious contrast with the Indian NSO client who could have been using this exploit.
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2021-30807: an anonymous researcher — Apple
An Apple spokesperson did not respond to a query for comment. “For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” the company says on its website.
Pegasus revelations so far
NPR reported on Friday that NSO Group, the Israeli company that developed the Pegasus spyware, has suspended several government clients to investigate misuse of its spyware. Although, it is not clear if the Indian client is among those whose licenses are suspended. Some of the potential targets of surveillance include the following
- Reliance ADAG’s Anil Ambani and officials from Dassault Aviation India, Saab India, and Boeing India were listed as persons of interest.
- Two retired top Border Security Force officials, a retired official from the Research and Analysis Wing (RAW), and two Indian Army officers were listed as possible targets.
- Former Chief Ministers of Karnataka from the Janata Dal (Secular) and Congress parties may have been targeted at a time when their coalition government in the state was involved in an intense power struggle with the BJP.
- Tamil nationalist leaders and several Periyarist activists such as Naam Thamizhar Katchi’s Seeman, Thirumurugan Gandhi, Thanthai Periyar Dravidar Kazhagam’s K Ramakrishnan, and Dravidar Kazhagam treasurer Kumaresan were listed as potential targets.
- Former CBI chief Alok Verma, personal mobile numbers of his relatives along with numbers of two other senior CBI officials, Rakesh Asthana and AK Sharma, may have been targeted.
- More than 25 people from the Kashmir Valley, including journalists, separatist leaders, human rights activists, politicians, and business persons, were selected as potential targets of intrusive surveillance between 2017 and mid-2019.
- Opposition leaders like INC’s Rahul Gandhi, TMC’s Abhishek Bannerjee, former PM Deve Gowda, and political analyst Prashant Kishor were also listed as targets along with a former Election Commission member Ashok Lavasa, several activists, 40 journalists, and others.
- NSO Group Has ‘Temporarily Blocked’ Several Government Clients From Using Its Technology: Report
- Pegasus Spyware: All the latest facts on who was targeted and more
- Pegasus: How do we rein in State surveillance? Here’s what experts said
- IT Minister Ashwini Vaishnaw addresses Parliament on Pegasus Spyware
What is your takeaway from this issue? Leave a comment below