Apple Fixes Zero-Click Bugs Exploited by NSO Group's Spyware'BlastPass' Can Compromise iPhones Running the Latest iOS Version, Researchers Say
Apple released patches Thursday to close a zero-click exploit makers of the Pegasus advanced spyware app used to infect at least one iPhone carried by an individual employed at a Washington, D.C.-based civil society organization.
Cybersecurity researchers at University of Toronto's Citizen Lab said Pegasus developer NSO Group found a way to infect phones by transmitting through iMessage an image processed by the iOS PassKit payment function. The malicious image hijacks control of Apple's BlastDoor framework for iMessage security, tweeted Citizen Lab researcher Bill Marczak. The lab calls the exploit "BlastPass."
"The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," Citizen Lab wrote.
Demand by governments for mobile device espionage is fueling global growth of the commercial spyware market (see: Commercial Surveillance Industry Set for Growth, Says NCSC).
Pegasus bypasses encryption protections and is able to surreptitiously turn on a device camera and microphone while transmitting location data in real time. Its use has been tied to human rights violations - including the 2014 disappearance of 43 college students in Iguala, Mexico, The New York Times reported earlier this month. NSO Group says it limits sales of Pegasus to authorized governments for use in national security and law enforcement investigations.
Citizen Lab did not reveal additional information about the identity of the targeted civil society organization, other than to say it has offices abroad as well as in Washington, D.C.
The U.S. government in March prohibited the use of commercial spyware tools that have been used to surveil human rights activists, journalists and dissidents around the world, under an executive order signed by President Joe Biden.
Apple has taken steps to prevent commercial spyware from infecting iOS devices, including by introducing in 2022 an "extreme, optional protection" feature aimed at high-risk users that limits the functionality of their devices. Known as Lockdown Mode, the feature is effective at stopping BlastPass, Citizen Lab said.
Apple has also sued NSO Group in U.S. federal court in a bid to prevent the company from ever again accessing Apple products or services.
In 2021, the company launched the BlastDoor security feature as part of iOS 14. A Google security researcher analyzed the feature and concluded that Apple had moved "the majority of the processing of complex, untrusted data" from iMessage into the BlastDoor sandbox.
Citizen Lab said it had disclosed its findings to Apple and assisted the iPhone maker in its investigation. Apple declined to comment further on the exploit chain, but researchers at Citizen Lab said they will publish a more detailed report on the exploit chain.
The first of the two vulnerabilities, tracked as CVE-2023-41064, made Apple devices vulnerable to attack while processing a maliciously crafted image. The other vulnerability, CVE-2023-41061, allows attackers arbitrary code execution privileges by exploiting a bug the Apple Wallet function.