Should the iMessage vulnerability be a concern for more than just specific targeted individuals?
It’s “guaranteed” that there are wider implications beyond just the impact on certain individuals who’ve been identified as targets, Dettbarn said.
On Monday, Apple released patches for iPhone, iPad and macOS devices that address an iMessage vulnerability reportedly used by spyware maker NSO Group. The Citizen Lab at the University of Toronto reported discovering the zero-day, zero-click iMessage exploit—which the research group says was used by NSO Group to infect a Saudi activist’s iPhone with its Pegasus spyware.
In a statement provided to CRN on Monday, Ivan Krstić, head of security engineering and architecture at Apple, confirmed that the exploit affected iMessage. However, Krstić’s statement indicated that this type of attack is “not a threat to the overwhelming majority of our users.”
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Krstić said in the statement.
Dettbarn said he believes the exploit potentially has a broader impact, however.
“Nobody knows the full trajectory of these active exploits, because it’s never fully disclosed. And the proliferation of how to leverage the exploit goes out there very, very quickly,” Dettbarn said. It’s “absolutely not” just NSO Group that has likely made use of this iMessage vulnerability, he said.
“It’s always an ‘iceberg’ – what we see is just 10 percent of it. Anybody who thinks differently is just not wanting to look [deeper] into that,” Dettbarn said.