Last week, Citizen Lab discovered an actively exploited zero-click vulnerability while examining the device of an individual employed by a civil society organization based in Washington DC, which also operates internationally. This vulnerability was being utilized to deploy NSO Group's Pegasus mercenary spyware.
The Exploit Chain: BLASTPASS
Citezen lab dubbed this exploit chain BLASTPASS. It had the capability to compromise iPhones running the latest iOS version (16.6) without requiring any action from the victim. The exploit functioned through PassKit attachments that contained malicious images sent from an attacker's iMessage account to the victim.
Citezen lab said they have plan to release a more comprehensive analysis of the exploit chain in due course.
Disclosure to Apple & CVEs
Citizen Lab promptly shared our discoveries with Apple and provided assistance in their investigation. Subsequently, Apple issued two CVEs pertaining to this exploit chain (CVE-2023-41064 and CVE-2023-41061).
Update Apple Devices Immediately
We strongly advise everyone to promptly update their devices. For those who may face heightened risk due to their identities or activities, we recommend enabling Lockdown Mode. According to both our assessment and confirmation from Apple’s Security Engineering and Architecture team, Lockdown Mode effectively thwarts this specific attack.
We commend Apple for their swift investigative response and patch implementation, and we extend our appreciation to the victim and their organization for their cooperation and support.
Highly Targeted Civil Society: A Cybersecurity Early Warning System
This recent discovery underscores once again that civil society remains a prime target for exceptionally sophisticated exploits and mercenary spyware. Apple’s update will safeguard devices belonging to everyday users, corporations, and governments worldwide. The BLASTPASS revelation emphasizes the immense value, in terms of collective cybersecurity, in championing civil society organizations.