iPhone Security

New iPhone Zero-Click, Zero-Day Exploit 2023: What You Need to Know

September 8, 2023

Table of Contents

Introduction

If you own an iPhone, you might want to update your software as soon as possible. A new zero-click, zero-day exploit has been discovered that can allow attackers to remotely install spyware on your device without any interaction from you. The exploit, dubbed BLASTPASS by researchers at Citizen Lab1, was used to deliver NSO Group’s Pegasus spyware onto fully patched iPhones2Pegasus is a notorious spyware that can monitor calls, messages, photos, and even use the camera and microphone of the infected device3. In this blog post, we will explain what the exploit is, how it works, who is behind it, who is affected by it, how to protect yourself from it, and what Apple is doing to fix it and prevent future attacks.

What is the exploit and how does it work?

The exploit involves PassKit attachments sent via iMessage4. PassKit is the framework behind Apple Pay and Wallet that allows users to store and manage digital passes such as boarding passes, coupons, tickets, etc. A pass is a signed bundle containing a JSON description, images, and localizations5The exploit takes advantage of two vulnerabilities in iOS: a buffer overflow issue in ImageIO (CVE-2023-41064) and a validation issue in Wallet (CVE-2023-41061)6. By sending a maliciously crafted image as a PassKit attachment via iMessage, the attacker can trigger the buffer overflow and execute arbitrary code on the target device. Then, by exploiting the validation issue, the attacker can bypass the signature check and load the malicious pass into the Wallet app. This allows the attacker to install Pegasus spyware on the device without any user interaction or notification.

Who is behind the exploit and what is their motive?

The exploit was used to deliver Pegasus spyware, which is developed by NSO Group, an Israeli company that sells cyberweapons to government agencies around the world. NSO Group claims that its products are only used for lawful purposes such as fighting terrorism and crime. However, several investigations have revealed that Pegasus has been used to target journalists, activists, dissidents, human rights defenders, and even heads of state. The latest victim of the exploit was an employee of a Washington DC-based civil society organization with international offices1. The motive behind this attack is unclear, but it could be related to the organization’s work on exposing human rights abuses and corruption.

Who is affected by the exploit and how can they protect themselves?

The exploit affects all iPhones running iOS 16 or later, which means that millions of users are potentially vulnerable. However, the exploit is not likely to be used against ordinary users, but rather against high-profile targets such as journalists, activists, dissidents, human rights defenders, etc. If you belong to one of these groups or suspect that you might be under surveillance by a hostile government or entity, you should take some precautions to protect yourself from this exploit. Some of these precautions are:

  • Update your iPhone software to iOS 16.6.1 or later as soon as possible. This version contains a patch for the exploit and prevents further attacks.
  • Enable Lockdown Mode on your iPhone. This mode disables biometric authentication (Face ID or Touch ID) and requires a passcode to unlock your device. It also blocks any incoming connections via USB or Bluetooth until you enter your passcode. This mode can protect you from this exploit as well as other types of attacks that rely on physical access or proximity to your device. To enable Lockdown Mode, press and hold the power button and either volume button until you see the power off slider. Then press and hold the power button again until you see “Emergency SOS” and “Lockdown” options. Tap on “Lockdown” to activate it.
  • Disable iMessage and use a more secure messaging app such as Signal or WhatsApp. iMessage is the vector for this exploit, so by disabling it you can prevent any malicious messages from reaching your device. To disable iMessage, go to Settings > Messages and toggle off iMessage. Alternatively, you can use a more secure messaging app that offers end-to-end encryption and does not rely on Apple’s servers. Signal and WhatsApp are two popular options that offer this feature .

What is Apple doing to fix the exploit and prevent future attacks?

Apple has issued a critical security update for iPhones to address the exploit. The update, iOS 16.6.1, was released on September 8, 2023, just days after the discovery of the exploit by Citizen Lab. Apple has also assigned two CVEs to the exploit chain and credited Citizen Lab for their research6. Apple has thanked Citizen Lab for their rapid investigative response and patch cycle, and acknowledged the victim and their organization for their collaboration and assistance. Apple has also stated that it is committed to protecting its users from malicious attacks and that it will continue to work with researchers, activists, and civil society organizations to find and fix any vulnerabilities in its products.

Conclusion

The NSO Group iPhone zero-click, zero-day exploit 2023 is a serious threat that can compromise the security and privacy of iPhone users. The exploit was used to deliver Pegasus spyware, which can monitor calls, messages, photos, and even use the camera and microphone of the infected device. The exploit affects all iPhones running iOS 16 or later, but it is not likely to be used against ordinary users, but rather against high-profile targets such as journalists, activists, dissidents, human rights defenders, etc. To protect yourself from this exploit, you should update your iPhone software to iOS 16.6.1 or later, enable Lockdown Mode on your device, disable iMessage and use a more secure messaging app such as Signal or WhatsApp. Apple has issued a critical security update for iPhones to address the exploit and prevent future attacks. Apple has also thanked Citizen Lab for their research and collaboration and stated that it will continue to work with researchers, activists, and civil society organizations to find and fix any vulnerabilities in its products.

We hope this blog post has helped you understand the NSO Group iPhone zero-click, zero-day exploit 2023 and how to protect yourself from it. If you have any questions or feedback, please leave a comment below or contact us at [email protected]. Thank you for reading! 😊