Apple Security Update to Counter Threat Giving Hackers Access Without User Clicking

Apple issued a security patch against a newly discovered threat that can lead to devices getting hacked without the users doing anything specifically.
Apple Security Update to Counter Threat Giving Hackers Access Without User Clicking
A woman uses an iPhone mobile device as she passes a lighted Apple logo at the Apple store at Grand Central Terminal in New York on April 14, 2023. Mike Segar/Reuters
Naveen Athrappully
Updated:
0:00

Apple issued security patches to resolve vulnerabilities on devices that would have allowed hackers to infect targets with spyware even when users do not click on anything.

The security update is aimed at “iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later,” Apple said on Thursday. The patches are for iOS 16.6.1 and iPadOS 16.6.1 versions of the operating system. The security threat is related to affected devices processing “maliciously crafted” images that result in random execution of harmful code. “Apple is aware of a report that this issue may have been actively exploited,” the company said.

The security patches have been integrated into Apple’s regular updates for iOS, macOS, iPadOS and watchOS. The user should ensure that their Apple software is updated. They do not need to do anything specifically to counter the threat.

The security issue, called zero-click vulnerability, was discovered recently by academic research organization Citizen Lab while checking the device of an employee working in a civil society organization.

When a device has zero-click vulnerability, it means the hacker can gain access to it without the user even tapping or clicking on anything, like an attachment.

“Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware,” the organization said in a news release.

NSO Group is an Israeli technology company founded in 2010. The firms’ Pegasus spyware can infiltrate mobile phones, harvesting personal data and location of users. Some of the information it can retrieve includes photos, communications, call logs, web searches, and passwords.

The software can also control the cameras and microphones without the user’s knowledge. The spyware is designed to mask its activity and avoid detection.

“We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab said.

The exploit involved attachments which contained “malicious images” sent by the attacker to the victim. “We urge everyone to immediately update their devices,” the organization advised.

When Citizen Lab found the vulnerability, they informed Apple, which led to the security patch being released. “We would like to acknowledge The Citizen Lab at The University of Torontoʼs Munk School for their assistance,” Apple said in its security update.

Lockdown Mode

Citizen Lab also encouraged any individual who may face “increased risk because of who they are or what they do” to enable the Lockdown Mode feature on their Apple devices to protect themselves from zero-click vulnerability hacking attempts.

Lockdown Mode is an “optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats,” according to Apple.

A customer tests a smartphone during the launch of the new iPhone XS and XS Max sales at "re:Store" Apple reseller shop in Moscow on Sept. 28, 2018. (Tatyana Makeyeva/Reuters)
A customer tests a smartphone during the launch of the new iPhone XS and XS Max sales at "re:Store" Apple reseller shop in Moscow on Sept. 28, 2018. Tatyana Makeyeva/Reuters

When in Lockdown Mode, the Apple device won’t function as normal. Some of the apps, websites, and features will be strictly limited while other experiences may not be available at all. This is aimed at reducing the “attack surface” that could potentially be used by hackers.

When in Lockdown Mode, the following will be blocked—most message attachment types, certain complex web technologies, incoming FaceTime calls, and incoming invitations for Apple services. Shared albums are removed from the Photos app.

To enable Lockdown Mode on iPhones or iPads, users need to open the Settings app, tap “Privacy & Security,” tap the “Lockdown Mode” option under security, tap “Turn On Lockdown Mode,” tap “Turn On & Restart,” and finally enter the device passcode.

“When Lockdown Mode is enabled, you might receive notifications when an app or feature is limited, and a banner in Safari indicates that Lockdown Mode is on.”

In April, Citizen Lab released a report that analyzed three attacks on Apple devices. One of the attacks was blocked by the Lockdown Mode.

“The fact that Lockdown Mode seems to have thwarted, and even notified targets of a real-world zero-click attack shows that it is a powerful mitigation, and is a cause for great optimism,” Bill Marczak, a senior researcher at Citizen Lab and one of the authors of the report, told TechCrunch.

“But, as with any optional feature, the devil is always in the details. How many people will opt to turn on Lockdown Mode? Will attackers simply move away from exploiting Apple apps and target third-party apps, which are harder for Lockdown Mode to secure?”

The Spyware

Pegasus, the spyware which infected Apple devices in the recent zero-click vulnerability attacks, has faced criticism from around the globe for its spying activities.
A Freedom of Act Lawsuit against the FBI filed by the New York Times revealed that the agency pushed for using Pegasus hacking tools in criminal investigations in 2020 and 2021.

In 2021, the U.S. Department of Commerce added NSO Group to its “entity list,” a trade restriction list.

NSO and another company were added to the list “based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers,” the department said in a statement at the time.

“These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists, and activists outside of their sovereign borders to silence dissent.”

In July 2021, The Guardian and other media outlets revealed that foreign governments had used Pegasus to surveil at least 180 journalists and other individuals around the world.
Naveen Athrappully
Naveen Athrappully
Author
Naveen Athrappully is a news reporter covering business and world events at The Epoch Times.
Related Topics