Last week, cybersecurity researchers at the University of Toronto’s Citizen Lab uncovered a critical vulnerability in iPhone devices that was being actively exploited to deliver the Pegasus spyware developed by the NSO Group. The exploit, known as BLASTPASS, allowed attackers to compromise iPhones running the latest version of iOS (16.6) without any interaction from the victim.
The researchers discovered the vulnerability while examining the device of an individual working for a civil society organization based in Washington DC. The attack involved malicious images sent via iMessage from the attacker’s account to the victim’s device using PassKit attachments. Although Citizen Lab believes the attacker made an installation mistake, their discovery prompted them to disclose their findings to Apple.
Apple swiftly responded by releasing patches and assigning two CVEs (Common Vulnerabilities and Exposures) to address the exploit. They also recommended that all users update their devices immediately. Additionally, Apple’s Lockdown Mode, which provides enhanced protection by blocking various types of potentially malicious content, including message attachments and unrecognized Facetime calls, has been confirmed to prevent this particular attack.
According to Ken Westin, a cybersecurity expert at Panther Labs, the disclosure of this vulnerability will likely lead to more widespread exploitation, extending beyond commercial spyware use. He also expressed concerns about the lack of transparency from NSO regarding the targets of their exploits, highlighting instances where innocent individuals, including journalists and dissidents, have been targeted by authoritarian regimes using Pegasus.
NSO, which has been under scrutiny for alleged surveillance and human rights abuses, declined to respond to the allegations without supporting research. The discovery and swift response by Apple underscore the importance of supporting civil society organizations in the fight against cyber threats and the crucial role of regular software updates in maintaining device security.
– University of Toronto’s Citizen Lab