Last week, University of Toronto’s Citizen Lab discovered a vulnerability in iPhone devices being “actively exploited” to deliver NSO Group’s Pegasus mercenary spyware, without any interaction from the victim.
Citizen Lab said it made the discovery while checking the device of an individual employed by a Washington DC-based civil society organization with international offices.
The “zero-click” exploit chain, which Citizen Lab refers to as BLASTPASS, was capable of compromising iPhones running the latest version of iOS (16.6) and involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.
Bill Marczak, senior researcher at Citizen Lab told Reuters that the attacker likely made a mistake during the installation, which is how Citizen Lab found the spyware.
Citizen Lab promptly disclosed its findings to Apple, which subsequently issued patches and generated two CVEs related to this exploit, and urged users to immediately update their devices.
Users who face increased risk of targeted sophisticated attacks, “because of who they are and what they do” were also encouraged to enable Lockdown Mode. That feature offers extreme protection to users by blocking message attachments, complex web technologies, unrecognized Facetime calls, and more.
Apple’s Security Engineering and Architecture team has confirmed to Citizen Lab that Lockdown Mode blocks this particular attack as well.
“Apple’s update will secure devices belonging to regular users, companies, and governments around the globe,” said Citizen Lab in a release. “The BLASTPASS discovery highlights the incredible value to our collective cybersecurity of supporting civil society organizations.
However, given that the vulnerability has now been identified, and differences between the software versions have been documented, the exploits targeting this vulnerability are likely to become more widespread and may extend beyond commercial spyware use, said Ken Westin, field chief information security officer at Panther Labs.
He added, “The NSO Group has not been transparent about the targets of these exploits. In many cases, they have claimed a lack of visibility regarding their use. Regrettably, this software has been used to target innocent individuals, including journalists and dissidents, by authoritarian regimes.”
NSO, which has been blacklisted by the U.S. government since 2021 for alleged surveillance of government officials and journalists and other abuses, said in a statement, “We are unable to respond to any allegations that do not include any supporting research.”