If you have any Apple products, it's a good idea to give them an update as soon as feasibly possible. Following the discovery of a "zero-day" security flaw, Apple has released an emergency update to protect users.
The flaw is known as a "zero-day" flaw because once found, that's how long companies have to fix them. This particular flaw, spotted by Citizen Lab, is an exploit that they've termed "FORCEDENTRY" and was first found when examining the phone of a Saudi activist. The group believes that the exploit is the work of Israeli technology firm NSO Group.
"We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware," Citizen Lab said in a statement.
"The spyware installed by the FORCEDENTRY exploit exhibited a forensic artifact that we call CASCADEFAIL, which is a bug whereby evidence is incompletely deleted from the phone’s DataUsage.sqlite file. In CASCADEFAIL, an entry from the file’s ZPROCESS table is deleted, but not entries in the ZLIVEUSAGE table that refer to the deleted ZPROCESS entry. We have only ever seen this type of incomplete deletion associated with NSO Group’s Pegasus spyware, and we believe that the bug is distinctive enough to point back to NSO."
The exploit is also a zero-click, as it doesn't require the user to click on anything in order for the code to do its thing, and is likely spread through a message sent to people's devices. Citizen Lab believes that it has been in place since February, though they reported it to Apple the moment they found it on September 7.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly," Apple said in a statement seen by 9TO5MAC.
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Though you are unlikely to be targeted by the exploit, unless you happen to be a high-profile protestor in a country where that's enough to have you tracked, it's still a good idea to update your devices in order to remove any potential for your phone to get hacked.