iPhone owners, you may want to update your phone immediately.
An extremely critical iOS update was issued by Apple yesterday to patch three zero-day security exploits that could allow an attacker to take over and fully control an iPhone remotely by simply clicking a link.
Zero-day attacks are previously unknown software vulnerabilities that are already being exploited by hackers even before the software makers are made aware of them.
This threat, named "Trident" by security firm Lookout and internet watchdog Citizen Lab, can reportedly turn any iPhone into an espionage tool by installing sophisticated spyware.
According to the security researchers, once an iPhone is infected, attackers could turn the device into a "digital spy." The attackers could then use the iPhone's camera and microphone to "snoop on activity in the vicinity of the device," record calls, log messages and texts, and track movement.
This exploit chain was uncovered by Lookout and Citizen Lab when UAE human rights defender Ahmed Mansoor's iPhone was targeted with texts containing malicious links. Thankfully, instead of clicking the links, Mansoor forwarded the messages to Citizen Lab researchers.
Citizen Lab then teamed up with Lookout to reveal that the links led to the zero-day three-step exploit chain that would have jailbroken Mansoor's iPhone and installed the sophisticated spying malware Pegasus.
The security investigators say that the Trident exploit and Pegasus spyware can be traced back to an organization called NSO Group Technologies Ltd, a company that describes itself as a "leader in mobile and cellular Cyber Warfare."
Lookout determined that Trident does exploit these three zero-day iOS vulnerabilities:
- CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution
- CVE-2016-4655: An application may be able to disclose kernel memory
- CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges
The researchers say that Apple was informed about this trio of vulnerabilities more than a week ago, leading to the release of iOS security update 9.3.5 yesterday.
Update your iPhone now
With these critical security exploits, it is important that you apply the iOS 9.3.5 update on your iPhone (or iPad) now.
To do this, go to Settings >> General >> Software Update. Your device will then automatically check for the latest version of iOS.
If you are not updated yet, information about iOS 9.3.5 will be shown. Tap on "Download and Install" to begin the update process.
You may be required to enter your iPhone passcode during the installation but beyond that, everything should be automatic.
You will know that you have successfully updated to iOS 9.3.5 by checking Settings >> General >> Software Update again. It should display that "Your software is up to date."
To read about the security content of iOS 9.3.5, check out this Apple security document.