Apple issued security patches to resolve vulnerabilities on devices that would have allowed hackers to infect targets with spyware even when users do not click on anything.
The security update is aimed at “iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later,” Apple said on Thursday. The patches are for iOS 16.6.1 and iPadOS 16.6.1 versions of the operating system. The security threat is related to affected devices processing “maliciously crafted” images that result in random execution of harmful code. “Apple is aware of a report that this issue may have been actively exploited,” the company said.
The security patches have been integrated into Apple’s regular updates for iOS, macOS, iPadOS and watchOS. The user should ensure that their Apple software is updated. They do not need to do anything specifically to counter the threat.
The security issue, called zero-click vulnerability, was discovered recently by academic research organization Citizen Lab while checking the device of an employee working in a civil society organization.
When a device has zero-click vulnerability, it means the hacker can gain access to it without the user even tapping or clicking on anything, like an attachment.
“Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware,” the organization said in a news release.
NSO Group is an Israeli technology company founded in 2010. The firms’ Pegasus spyware can infiltrate mobile phones, harvesting personal data and location of users. Some of the information it can retrieve includes photos, communications, call logs, web searches, and passwords.
The software can also control the cameras and microphones without the user’s knowledge. The spyware is designed to mask its activity and avoid detection.
“We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab said.
The exploit involved attachments which contained “malicious images” sent by the attacker to the victim. “We urge everyone to immediately update their devices,” the organization advised.
Lockdown Mode
Citizen Lab also encouraged any individual who may face “increased risk because of who they are or what they do” to enable the Lockdown Mode feature on their Apple devices to protect themselves from zero-click vulnerability hacking attempts.Lockdown Mode is an “optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats,” according to Apple.
When in Lockdown Mode, the Apple device won’t function as normal. Some of the apps, websites, and features will be strictly limited while other experiences may not be available at all. This is aimed at reducing the “attack surface” that could potentially be used by hackers.
When in Lockdown Mode, the following will be blocked—most message attachment types, certain complex web technologies, incoming FaceTime calls, and incoming invitations for Apple services. Shared albums are removed from the Photos app.
To enable Lockdown Mode on iPhones or iPads, users need to open the Settings app, tap “Privacy & Security,” tap the “Lockdown Mode” option under security, tap “Turn On Lockdown Mode,” tap “Turn On & Restart,” and finally enter the device passcode.
“When Lockdown Mode is enabled, you might receive notifications when an app or feature is limited, and a banner in Safari indicates that Lockdown Mode is on.”
In April, Citizen Lab released a report that analyzed three attacks on Apple devices. One of the attacks was blocked by the Lockdown Mode.
“The fact that Lockdown Mode seems to have thwarted, and even notified targets of a real-world zero-click attack shows that it is a powerful mitigation, and is a cause for great optimism,” Bill Marczak, a senior researcher at Citizen Lab and one of the authors of the report, told TechCrunch.
The Spyware
Pegasus, the spyware which infected Apple devices in the recent zero-click vulnerability attacks, has faced criticism from around the globe for its spying activities.In 2021, the U.S. Department of Commerce added NSO Group to its “entity list,” a trade restriction list.
NSO and another company were added to the list “based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers,” the department said in a statement at the time.
“These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists, and activists outside of their sovereign borders to silence dissent.”