Users of iPhones, iPads and Macs have been urged to install the fix as soon as they can, to ensure they are not targeted by a hack that appears already to have been used on some people.
The danger posed by such a vulnerability is high, even if the fix is simple. And the effects of it could be disastrous, even if most people will never know it existed.
It is the latest major flare-up in an ongoing battle for control and entry into iPhones. On one side stand the hackers – often employed by governments – who are constantly searching for a way into the devices; on the other are Apple, security experts, and iPhone owners themselves.
It is far from the first time that Apple has released an urgent security update of this kind. But the latest one is unusual in that Apple has disclosed that it might already have been exploited – there have only been a handful examples of such attacks throughout the iPhone’s history.
There will, however, almost certainly be more. Any device that is connected to the internet is a potential target for hackers, and there is never such a thing as perfect security for ever.
However, for most, fixing the problem is simple enough: users can download and install the update, which patches the vulnerability, and are back to being as secure as they can be.
But for Apple and its most high-risk customers, this is just the latest episode in an ongoing battle to try to keep users safe. For the hackers themselves, it is a rare and valuable success in their fight.
Hackers are constantly looking for bugs of this kind so that they can be sold on. Probably the most famous example is Pegasus, a piece of spyware that is thought to have been used by a number of governments and allows access into iPhones – at which point hackers are able to read the owner’s messages, follow their location, and listen to and watch them through their microphone and camera.
Such powerful software has only been possible because there is a whole marketplace for finding such bugs. If a hacker finds a significant problem, such as the one addressed in the new software update, they have the option of selling it on to spyware companies – those spyware companies can then weaponise it and sell it on to entities such as nation states, which are able to deploy it against dissidents or other enemies.
To try to counter that market for vulnerabilities, technology companies offer “bug bounties” – payments that aim to incentivise security researchers to hand over any bugs to the companies responsible rather than selling them on to those who wish to use them for cyber attacks.
In the past, Apple has been criticised for both the value and the efficiency of its bug bounty programme, with researchers arguing that they should be given more and that problems are not followed up quickly enough. But Apple offers a considerable amount of money for bugs, ranging from $100,000 (£85,000) for finding a way around the iPhone’s lock screen or getting iCloud account data, all the way up to $1m for the most profound bugs, which let people into the deepest parts of the phone without even touching it.
Apple’s list of security updates makes clear how often those problems are found, and how damaging they can be. The latest update was released on Wednesday and was credited to an anonymous researcher – who will presumably have made a considerable amount from finding it – but before that there has been a critical security update issued almost once a month in 2022.
It can be hard to know precisely how significant these attacks are, because Apple and other technology companies keep that information secret to ensure that it cannot be used for nefarious purposes. If Apple were to disclose the nature of an attack, it might also give hackers a clue about how to use it.
“For the protection of our customers, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available,” the company states on its website. It is also a stipulation of the bug bounty programme that hackers must not talk about the problem before it has been addressed.
Even with these updates, however, the iPhone cannot remain entirely secure. Hackers are always looking for ways into devices, and sometimes they find them; no device can be perfectly secure, something that even Apple itself has recognised in its updates.
Last month, Apple announced the introduction of “Lockdown Mode”. Its existence is a recognition of the fact that there will always be some tension between useful features on phones and total security, and that there is not always a way to have both.
When a user switches on that mode, it makes clear that the phone will “not function as it usually does”. It also makes clear that it is only meant for those who are likely to be personally targeted by such attacks.
“Lockdown Mode is an extreme, optional protection that should only be used if you believe you may be personally targeted by a highly sophisticated cyberattack,” it says. “Most people are never targeted by attacks of this nature.”
Apple did not give any explicit guidance on who should consider themselves the kind of high-risk user Lockdown Mode is intended to protect. But it did suggest that anyone who belongs to that group will already know; if you don’t have reason to suspect you could fall victim to such a hack, then you probably won’t.
That is partly because exploiting such vulnerabilities often means alerting companies and security experts to the fact that they exist, which in turn can mean they might be patched; the powerful Pegasus spyware, for instance, was found when attackers tried to use it on a human rights activist. The very fact of using an exploit means that it becomes weaker, so they are generally only used on high-profile targets who are worth the risk.
Carrying out such attacks is also hard work, and they cannot be implemented en masse. Phones are usually broken into with a suspect link or file, for instance, which must be sent specifically to a user, who must then open it.
However, none of this means that those who do not consider themselves high-risk should be complacent, and security experts urge users to install updates as soon as they are available.
“While the vulnerability could allow threat actors to take full control of a device, [users should] stay calm and simply get control of your devices and download the software updates available from Apple,” said Sam Curry, chief security officer at Cybereason. “Do that and move on.”