Own an iPhone or iPad that's running iOS 16 or iPadOS 16? You should manually update your software right now – Apple has just released an important security fix that could stop hackers from installing powerful spyware on your device.
The vulnerability has only just been discovered, which means Apple has rushed out a fix in the form of iOS 16.6.1 and iPadOS 16.6.1. It's wise to install these updates manually even if you have automatic updates turned on, rather than waiting for them to install overnight. To do this, go to Settings > General > Software Update on your iPhone or iPad, and tap 'download and install'.
The update is available for all iPhones from the iPhone 8 onwards, all iPad Pro models, the iPad Air 3rd generation (from 2019) and later, the iPad 5th generation (from 2017) onwards, and the iPad Mini 5th gen (from 2019) or later. The security flaw was discovered by Citizen Lab, which is a spyware research group in the University of Toronto.
The reason why this particular iOS vulnerability is so noteworthy – and important to fix – is because it allowed the remote installation of the NGO Group's Pegasus mercenary spyware, which essentially allows governments spy on citizens. As Citizen Lab explained, the exploit could do this "without any interaction from the victim".
The precise mechanics of how this happened to an employee of an international civil society organization – the incident that raised the alarm bells – aren't clear. But it involved the coding framework behind Apple Pay and Wallet being hacked with attachments containing malicious images, which were sent from the attacker's iMessage account.
Citizen Lab says that it'll publish "a more detailed discussion of the exploit chain in the future". But for now we'd recommend updating your iPhone or iPad as soon as possible. The spyware research lab also says that Apple's new Lockdown Mode, which has been designed to protect its devices against "extremely rare and highly sophisticated cyber attacks" is also effective against the attack.
If you think you're particularly vulnerable to being targeted, you can turn on Lockdown Mode by going to Settings > Privacy & Security, then scrolling down to LockDown Mode under 'Security', toggling it on then tapping 'Turn On & Restart'. This is an extreme measure, though, and unnecessary for most people, as it'll limit apps, website and other features on your phone.
Keeping your iPhone secure
While Apple devices continue to have a reputation for being superior to rivals in terms of cybersecurity, iOS security flaws have increasingly hit the headlines in recent years.
This led Apple to announced a new Rapid Security Response feature at WWDC 2022, which lets you download security patches as soon as they’re available and without even needing to reboot your device.
The downside is that, on rare occasions, these can also automatically update devices to flawed software patches, so it's possible to remove the feature. To do this, go to General > Software Update > Automatic Updates, then toggle the 'Security Responses & System Files' to off.
We'd still recommend keeping that feature on, though, and Apple didn't use it for these latest iOS 16.6.1 and iPadOS 16.6.1 updates. Those have been pushed out as standard system updates, but it's worth manually installing them even if you have automatic updates turned on, rather than waiting for that to happen overnight.
While the targets of these kinds of spyware attacks are naturally likely to be government officials, they can open the door to follow-up attacks from other hackers, so keeping your phone up to date is good for the health of the overall operating systems.