Apple released security updates Thursday that patch has two zero-day exploits (that is, hacking techniques unknown at the time Apple became aware of them) used against a member of a civil society organization in Washington, D.C., according to researchers who discovered the vulnerabilities.
Citizen Lab, an Internet watchdog group that investigates government malware, published a short blog post explaining that last week they found a zero-click vulnerability – meaning the hackers’ target doesn’t have to touch or click on anything, such as an attachment – used to target victims with malware. Researchers said the vulnerability was used as part of an exploit chain designed to deliver NSO Group’s malware, known as Pegasus.
“The exploit chain was able to compromise iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab wrote.
Once the researchers found the vulnerability, they reported it to Apple, which released a patch on Thursday, thanking Citizen Lab for reporting them.
Based on what Citizen Lab wrote in the blog post and the fact that Apple also patched another vulnerability and attributed the discovery to the company itself, it appears that Apple found the second vulnerability while investigating the first.
When reached for comment, Apple spokesperson Scott Radcliffe had no comment and referred RockedBuzz to the notes in the security update.
Citizen Lab said it named the exploit chain BLASTPASS, because it was involved PassKita framework that allows developers to include Apple Pay in their apps.
“Once again, civil society is serving as a cybersecurity early warning system for… billions of devices around the world,” said John Scott-Railton, senior researcher at internet watchdog Citizen Lab . he wrote on Twitter.
Citizen Lab recommends all iPhone users update their phones.
Scott-Railton also said that he and his colleagues, as well as Apple’s security architecture and engineering team, believe that Lockdown Mode, an opt-in mode that enhances some security features and blocks others to reduce the risk of targeted attacks, would have blocked the exploits found in this case.
NSO did not immediately respond to a request for comment.
UPDATE, Friday, September 8, 10:26 a.m. ET: This story has been updated to add the paragraph on lockdown mode.
Apple’s high security mode blocked NSO spyware, researchers say
Do you have more information about NSO Group or another surveillance technology provider? Or information on similar hacks? We’d love to hear your opinion. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email [email protected]. You can also contact RockedBuzz via SecureDrop.