What's happened?

CISA, the United States's Cybersecurity and Infrastructure Security Agency, has ordered federal agencies to patch their iPhones against vulnerabilities that can be used as part of a zero-click attack to install spyware from the notorious NSO Group.

A "zero-click attack"?

That's an attack that doesn't require any interaction from the user. Often times a malicious hacker requires a user to open an attached file, or visit a dangerous web link, in order to activate an attack. With a zero-click attack, the user doesn't have to do anything.

So how does it work?

In this particular instance, the attack - which has been called BLASTPASS by the researchers at Citizen Lab - involves maliciously-crafted PassKit attachments containing images sent from an attacker's iMessage account to their intended victim. Full details have not yet been released, but it appears that fully-patched iPhones running iOS 16.6 are vulnerable to a buffer overflow weakness when processing the boobytrapped images, which can be combined through a validation flaw to gain arbitrary code execution on targeted Apple devices.

And all this without the poor user having to click on or do anything? Nasty.

That's right.

So, who is the NSO Group?

NSO Group is the Israeli "cyberwarfare" firm behind the Pegasus spyware, which is marketed for use by governments and law enforcement agencies in online operations against criminals and terrorists. In the past Pegasus has been used to spy on well-known figures such as Amazon founder Jeff Bezos, as well as human rights activists, journalists and lawyers.

What can Pegasus do?

Once in place, the Pegasus spyware can spy on

• SMS messages
• Emails
• Photos and videos
• Contacts
• WhatsApp communications
• Calendars
• Calls
• Chats
• GPS location data
• Microphone and camera

So what should I do?

Apple has released emergency security updates for the flaws found in macOS, iOS, iPadOS, and watchOS used in the BLASTPASS exploit chain. As Bleeping Computer reports, Citizen Lab has warned Apple customers to apply the updates immediately, and consider turning on Lockdown Mode if they suspect they're particularly vulnerable to being targeted by sophisticated hackers. CISA has added the flaws to its catalog of known exploited vulnerabilities, saying that they pose "significant risks to the federal enterprise" and ordered all federal agencies to patch against them by October 2nd, 2023.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.