Apple has released emergency security updates for its devices to fix two critical vulnerabilities that were being exploited by the notorious Pegasus spyware. The spyware, developed by the Israeli company NSO Group, can infect iPhones and other devices without any user interaction and give hackers access to personal data, messages, location, and more.
How the Zero-Days Were Discovered
The zero-day flaws were discovered by Citizen Lab, an internet watchdog group based at the University of Toronto’s Munk School. Citizen Lab was analyzing the iPhone of an anonymous activist who works for a Washington D.C.-based civil society organization with international offices. They found that the activist’s phone was compromised by a zero-click exploit chain that they named BLASTPASS.
BLASTPASS involved sending malicious images through iMessage that exploited a validation issue in Wallet (CVE-2023-41061) and a buffer overflow issue in Image I/O (CVE-2023-41064). These issues allowed arbitrary code execution on the target device and enabled the installation of Pegasus spyware. Citizen Lab said that the exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.
Citizen Lab immediately reported their findings to Apple and assisted in their investigation. Apple acknowledged Citizen Lab’s assistance and issued security updates for iOS, iPadOS, macOS, and watchOS on Thursday. Apple also advised users to update their devices as soon as possible to protect themselves from potential attacks.
What is Pegasus Spyware and Who is Behind It
Pegasus is a sophisticated spyware tool that can stealthily infect devices and give hackers full control over them. It can access contacts, messages, emails, photos, videos, audio recordings, location, microphone, camera, and more. It can also evade detection by antivirus software and self-destruct if needed.
Pegasus is developed by NSO Group, a private Israeli company that sells cyberweapons to governments and law enforcement agencies around the world. NSO Group claims that its products are only used for legitimate purposes such as fighting terrorism and crime. However, several investigations have revealed that Pegasus has been used to target journalists, activists, dissidents, human rights defenders, lawyers, politicians, and other prominent figures in various countries.
In July 2023, a global media consortium published a series of reports based on a leaked list of more than 50,000 phone numbers that were allegedly selected for surveillance by NSO Group’s clients. The reports exposed how Pegasus was used to spy on journalists from CNN, Al Jazeera, The New York Times, The Wall Street Journal, and other outlets; activists from India, Mexico, Morocco, and elsewhere; and even heads of state such as French President Emmanuel Macron and Pakistani Prime Minister Imran Khan.
NSO Group has denied any wrongdoing and said that the leaked list was not related to its customers or Pegasus. It also said that it has no visibility into how its clients use its technology and that it follows strict human rights policies and legal compliance.
Why This is a Serious Threat for Everyone
The discovery of BLASTPASS shows that Pegasus spyware is still evolving and posing a serious threat for everyone who uses an Apple device. The zero-day vulnerabilities exploited by BLASTPASS could allow hackers to infect any iPhone or iPad without any user interaction or warning. Moreover, the exploit chain could bypass BlastDoor, a new security feature introduced by Apple in iOS 14 to prevent zero-click attacks.
This means that even users who keep their devices updated with the latest software could be vulnerable to Pegasus spyware. Therefore, it is crucial for users to install the latest security updates released by Apple as soon as possible. Users should also enable Lockdown Mode on their devices to prevent unauthorized access via USB.
Additionally, users should be aware of the signs of potential infection by Pegasus spyware. These include unusual battery drain, increased data usage, unexpected crashes or reboots, strange noises or vibrations during calls, or unknown apps or processes running on the device. Users should also be careful about what they share online and who they communicate with.
Finally, users should demand more transparency and accountability from NSO Group and its clients. They should also support the efforts of civil society organizations like Citizen Lab that expose the abuses of spyware technology and protect human rights online.