Apple has released security updates to fix two vulnerabilities being exploited by hackers in different versions of macOS, iOS, watchOS, and iPadOS. If exploited, the vulnerabilities could lead to arbitrary malicious code execution.

These two vulnerabilities are part of an exploit chain called BLASTPASS, which is capable of compromising iPhones running on the latest iOS version (16.6) without any victim interaction. This is a zero-click vulnerability used to distribute mercenary spyware Pegasus of NSO Group.

One of the flaws (CVE-2023-41064) exists in Apple’s Image I/O framework, allowing applications to read and write most image file formats that generate buffer overflows. For this vulnerability, “processing a malicious image can lead to arbitrary malicious code execution.”

Second flaw (CVE-2023-41061) related to Apple’s Wallet feature, which allows users to store bank cards. According to Apple, a malicious attachment could lead to arbitrary code execution. The error is also fixed in iOS version 16.6.1

Both bugs affect iPhone 8 or later, all iPad Pro models, iPad Air 3rd generation or later, iPad 5th generation or later, and iPad mini 5th generation or later. Meanwhile, the bug related to CVE-2023-41061 also affects Apple Watch Series 4 and later; while the vulnerability related to CVE-2023-41064 also affects macOS Ventura. Apple has rolled out iOS 16.6.1, iPadOS 16.6.1, watchOS 9.6.2, and macOS Ventura 13.5.2 to address security flaws.

To fix the security vulnerability of Apple devices, you just need to go to Settings -> General -> Software Update, and update to the latest Firmware version for your device.

Apple over the past few months has been rolling out fixes for various exploited bugs, including through an update addressing the WebKit vulnerability (CVE-2023-37450) affecting iOS, macOS, and iPadOS in November. 7 and an update addressing an integer overflow vulnerability (CVE-2023-32434) affecting watchOS, macOS, and iPadOS in June.

The hackers of the spy company NSO used an attack method Iphone without the user doing anything (zero-click) by accessing HomeKit – Apple’s feature of controlling smart devices in the home. However, this method was prevented if the user enabled Lockdown Mode – a security feature of Apple.

Who is NSO Group?

NSO Group is an Israel-based cybersecurity company that provides cybersecurity products and services to governments and security organizations worldwide.

This company was founded in 2010 and is best known for its main product, the Pegasus spyware, which is said to be able to access mobile devices and monitor all activities on these devices. The company NSO Group has been controversial because its products have been used to monitor and spy on human rights activists, journalists and political figures worldwide.

November 2019, Apple alleges NSO Group used security holes in Apple’s iOS operating system to develop and sell Pegasus to governments and security organizations around the world.

How does NSO hack iPhone with zero-click?

Attack zero-click is a type of attack that does not require the user to take any action to allow an attacker access to his or her device. Instead, attackers take advantage of vulnerabilities in software or hardware to insert malicious code or steal data without the user’s knowledge.

This is a type of attack that is very difficult to detect and prevent, as it does not leave many traces and can be performed remotely.

Some examples of zero-click attacks are:

• NSO Group’s Pegasus spyware can infiltrate iOS and Android devices via iMessage or WhatsApp, simply receiving a message without opening it – is enough to allow remote access to attackers. to your iPhone.
• A vulnerability in Apple’s Mail app allows hackers to send emails to gain access to a user’s device without the user opening the email.
• Another flaw in Apple’s FaceTime app makes it possible for hackers to call users and listen to their device’s audio before they accept the call.

According to cybersecurity experts, zero-click attacks are very dangerous and difficult to detect, as they do not require user intervention and can carry out espionage activities in secret. This makes NSO Group zero-click attacks considered one of the most dangerous espionage attacks and can have serious consequences for user privacy and security.

How to counter Zero-click with Lockdown Mode

To protect those potentially vulnerable to zero-click attacks, Apple introduced “Lockdown Mode” last year. This is a tool to limit the functions of the iPhone, while reducing the risk of a zero-click attack.

This mode is only for people who think they are at high risk of government surveillance. This tool will degrade iPhone features, including blocking most message attachments, disabling many websites, and more.

NSO and 3 zero-click attacks on iPhone

According to reports from Citizen Lab, a cyber research center of the University of Toronto, NSO Group used at least three attacks launched by NSO hack iPhone with zero-click to install the Pegasus spyware on iPhone devices running iOS 15 and 161.

This was discovered in late 2022 but Citizen Lab has kept the details secret until Apple can patch iOS to prevent attacks in time.

3 attacks include:

PWNYOURHOME

An attack that began in October 2022, combined a vulnerability in the HomeKit and iMessage apps to gain access to a user’s device. This attack can work regardless of whether the user has a smart home configured with HomeKit or not.

FINDMYPWN

This is a two-step zero-click attack, deployed against iOS 15 starting in June 2022. The first step targets the iPhone’s Find My feature, and the second step targets iMessage.

LATENTIMAGE

The attack involved the iPhone’s Find My feature.

The most common attack method is to send an iMessage message containing malicious code, then exploit vulnerabilities in other default Apple applications.

In January 2023, Apple released several security enhancements to HomeKit in the iOS 16.3

Users who have enabled Lockdown mode will receive a notification every time a malicious object tries to infiltrate their device.

Epilogue

In short, the attacks of NSO hack iPhone with zero-click is a reminder to service providers and users to increase security measures and take extra care in protecting their personal information and privacy.