SecureMac, Inc.

Checklist 241: Updating Apple Gear (Again) and (Still) Following Pegasus

July 29, 2021

We’ll discuss an update on the Pegasus spyware story, an updates update, and AirDrop security concerns.

Checklist 241: Updating Apple Gear (Again) and (Still) Following Pegasus

On this edition of The Checklist, we’ll talk:

Pegasus on Israel’s radar

Last week, we talked about Pegasus spyware. The commercially available spyware tool, made by Israeli cybersecurity firm NSO Group, is sold to law enforcement agencies and governments around the world. Pegasus is sophisticated mobile malware, capable of running on both Android and iOS. And if your phone is infected with the spyware, it’s “game over” for privacy.

NSO Group says that its tools are only used to fight crime and terrorism. But critics contend that the company sells its spyware to repressive regimes — regimes that use Pegasus to spy on human rights activists, journalists, opposition politicians, and more.

But now it seems that the critics’ charges have been substantiated, at least according to a recent joint-exposé from The Guardian and over a dozen other media organizations. Journalists and security experts analyzed leaked data and infected devices, and found that Pegasus spyware was being used to target thousands of individuals in the aforementioned groups — not just terrorists and criminals as NSO Group had claimed.

This week, according to a report from Apple Insider, NSO Group is coming under scrutiny — and not just from digital privacy watchdogs. Officials from several Israeli government agencies paid a visit to NSO Group’s offices in order to investigate the company’s activities. Israeli media outlets report that the officials included members of “the foreign ministry, justice ministry, Mossad and military intelligence”. Executives from NSO Group have confirmed the investigation. 

NSO Group maintains that it merely sells its spyware to governments, but that it has “no way to monitor what those governments do” with it. (Somewhat oddly, though, the company also says that it can detect and shut down abuses of its products).

It’s not clear yet what Israel’s investigation will find. But we’ll be sure to update you on the story as and when we have more details. Echoing what we said last week, even though Pegasus spyware isn’t a direct threat to average iOS users, a burgeoning, for-profit malware industry is something that should concern all of us.

A few more updates

Last week, Apple issued updates for all of its OSes along with patches for WebKit, Safari, and two older versions of macOS.

This week, Apple rolled out a couple of additional updates — updates that contain critical security fixes. The patches were released as macOS Big Sur 11.5.1, iOS 14.7.1, and iPadOS 14.7.1.

All of the updates contain the same security note:

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

As we’ve discussed before, when Apple says that it’s “aware of a report” of in-the-wild exploitation, it’s a good bet that it’s actually happening. That means all Mac, iPhone, and iPad users should update (again) right away.

Should you drop AirDrop?

If you’ve got an iPhone or a Mac, you’ve got AirDrop — even if you don’t use it. And that, unfortunately, could be a problem.

AirDrop is Apple’s protocol for creating ad hoc wireless connections between nearby devices (it’s somewhat similar to Bluetooth in that respect). AirDrop is meant to be a way to quickly and easily transfer files to other devices. 

All well and good, and undoubtedly convenient if you need to share something with a friend who’s sitting next to you. But as some unfortunate airline passengers discovered last week, AirDrop has a potential downside — and it’s a big one.

A teenager on a United Airlines flight used AirDrop to send a photo of a gun to other passengers. The plane was still on the runway, and the image turned out to be a photo of a toy pellet gun. Nevertheless, the incident caused enough of a panic to result in an evacuation of the plane and a complete re-screening of everyone on board. 

It’s easy to write this off as just a dumb adolescent prank gone wrong — but it does raise some important security questions about AirDrop. And the biggest of these is: How was this kid able to send a bunch of strangers his file? 

As it turns out, AirDrop has several settings. It can be turned off completely. It can be set to receive files from contacts only. And, as everyone aboard United Airlines 2167 discovered, it can also be set up to receive files from anyone — even people you don’t know.

In practical terms, this means that if you have AirDrop turned on and set to Everyone, your device is going to be constantly looking around to “shake hands” with all other nearby devices. 

If that worries you, you’re not alone — it worries us too! We’d recommend leaving AirDrop open to Contacts only … that is, assuming that you use AirDrop at all. If you don’t use the feature, or if you use it very infrequently, it might be best to disable it altogether and only turn it on when you need it.

To view your current AirDrop settings, head to Settings > General > AirDrop. There you’ll see your options, listed as Receiving Off, Contacts Only, and Everyone.  

That’s all for this Checklist, but if you’d like to go on learning about security and privacy before our next show, check out our archives. We have full audio and notes for every episode of the podcast we’ve ever recorded. If you have a question that you’d like to see answered on a future Checklist, please write to us and ask! 

Get the latest security news and deals