Citizen Lab disclosed the NSO Group iPhone Zero-Click, Zero-Day Exploit just after Apple pushed emergency security updates to patch two other zero-day flaws that were being actively exploited.
Dubbed BLASTPASS by Citizen Lab, the new exploit chain involves sending malicious image files via iMessage that can remotely compromise an iPhone and install the Pegasus spyware without any action from the user. The attack works even against iPhones with iOS 16.6, which was the newest version until Apple's emergency patches last week.
As covered in our previous post, Apple recently released urgent security updates for two critical iOS zero-days that were being exploited in the wild. However, it seems spyware makers like NSO Group are always working on new iPhone hacking techniques.
The exploit involved PassKit attachments containing malicious images sent from an attacker's iMessage account to the victim. - Citizen Lab wrote.
We expect to publish a more detailed discussion of the exploit chain in the future.
According to Citizen Lab, the BLASTPASS exploit chain compromised a civil society organization employee's iPhone despite having the latest iOS updates installed. Citizen Lab immediately reported the vulnerability to Apple, which issued two CVEs (CVE-2023-41064 and CVE-2023-41061) and advised all users to install new security patches.
We urge all at-risk users to consider enabling Lockdown Mode as we believe it blocks this attack.
Apple has just issued an emergency security update for Apple products including iPhones, iPads, Mac computers, and Apple Watches. We encourage all users to immediately update their devices.
Citizen Lab continues to play a critical role in warning about these dangerous iPhone and Android exploits before they can be abused at scale.
Update Apple Devices Now
Citizen Lab encourages everyone who may face increased risk because of who they are or what they do to enable Lockdown Mode.
Also, Apple’s Security Engineering and Architecture team has acknowledged, that Lockdown Mode blocks this particular attack.
All iPhone users should urgently apply the latest iOS 16.6.1 update to protect against this new attack. Apple's Lockdown Mode, which restricts some functionality, can also block this particular exploit chain according to Citizen Lab. As spyware makers keep innovating, it is essential to keep devices up-to-date and exercise caution around suspicious messages and links.