Apple has urgently released patches to address security vulnerabilities in iPhones, Macs, and Apple Watches. These vulnerabilities were being exploited by the spyware called Pegasus, which is sold to national governments by NSO Group.
Citizen Lab researchers, who discovered the exploit, found evidence of it on a phone owned by an employee of a civil society group based in Washington with offices. Over the past couple of years, Citizen Lab at the University of Toronto has uncovered numerous instances of Pegasus infections and methods, leading NSO to develop new techniques. They have been working more closely with Apple than before.
When this particular vulnerability was identified, Apple acted swiftly to release a patch. According to John Scott Railton from Citizen Lab, Apple has been significantly increasing its efforts in patching and threat detection.
The vulnerability discovered by Citizen Lab on the phone does not require any interaction from the target. It is what they refer to as a zero-click vulnerability. In their alert, they named this chain "BLASTPASS." "The exploit chain had the ability to compromise iPhones running the version of iOS (16.6) without requiring any interaction from the user (emphasis added)."
Bill Marczak from Citizen Lab referred to this exploit as being "virtually invisible."
Here's Apple's statement:
One of the vulnerabilities is related to ImageIO, an Apple framework that allows apps to read and write image file formats. According to Apple, "processing a crafted image could lead to the execution of arbitrary code."
The second vulnerability is associated with the Apple Wallet app. Apple stated, "A malicious attachment designed with intent could result in the execution of arbitrary code." It is worth noting that this zero-day vulnerability was discovered by Apple themselves, and their public acknowledgment of it is quite rare, as mentioned by Maddie Stone, a security researcher from Google's Threat Analysis Group.
For both vulnerabilities, Apple acknowledged that they are aware of reports suggesting exploitation.
To mitigate these risks, Citizen Lab and several cybersecurity professionals strongly advise users of Apple devices to update their systems.
On a related note, for potential targets, utilizing Lockdown Mode—a feature provided by Apple—would have effectively prevented this attack.
Last year, a new feature called Lockdown was introduced to limit certain attack strategies on iPhones. For instance, it prevents the display of images in messages.
According to Marczak, lockdown mode is a measure that the NSO Group dislikes. He advises those at risk to enable it and not think twice about it.
In response to the allegations, NSO stated that they could not provide any response without supporting research.
Despite increased pressure from the U.S. government and its allies, researchers continue to discover vulnerabilities and infections linked to the NSO Group. Noteworthy incidents involved members of Mexico's president's team.
In March, President Biden signed an order regarding spyware, which received positive feedback. The order prohibits U.S. agencies from using spyware in their operations when it poses a risk to national security or counterintelligence efforts. It also prevents the U.S. government from using spyware when there is a risk of foreign governments violating human rights or targeting Americans.
In that month, the White House successfully obtained a collective statement from several allied countries affirming their commitment to combating the spread of spyware.