CISA, the United States’ Cybersecurity and Infrastructure Security Agency, has issued an order for federal agencies to patch their iPhones against vulnerabilities that can be exploited by the NSO Group’s spyware through a zero-click attack.
A zero-click attack is a type of cyber attack that does not require any interaction from the user. Typically, a user is required to open a file or click on a dangerous link for an attack to be initiated. However, with a zero-click attack, the user is not required to take any action.
In this specific case, the attack, referred to as BLASTPASS by Citizen Lab researchers, involves sending maliciously-crafted PassKit attachments containing images to the victim’s iPhone via iMessage. The vulnerability lies in the processing of these boobytrapped images, which can lead to arbitrary code execution on fully-patched iPhones running iOS 16.6.
The NSO Group is an Israeli cyberwarfare firm known for its Pegasus spyware, which is marketed to governments and law enforcement agencies for online operations against criminals and terrorists. Pegasus has been used in the past to spy on high-profile individuals such as Jeff Bezos, human rights activists, journalists, and lawyers.
Once installed, Pegasus spyware can gain access to various forms of data on the victim’s device, including SMS messages, emails, photos and videos, contacts, WhatsApp communications, calendars, calls, chats, GPS location data, microphone, and camera.
To protect against this vulnerability, Apple has released emergency security updates for its operating systems. Users are advised to apply these updates immediately and consider enabling Lockdown Mode for added protection. CISA has included these vulnerabilities in its catalog of known exploited vulnerabilities and has ordered federal agencies to patch their iPhones by October 2nd, 2023.
Key Points:
– CISA has ordered federal agencies to patch their iPhones against vulnerabilities that can be exploited by NSO Group’s spyware through a zero-click attack.
– A zero-click attack is an attack that doesn’t require any user interaction.
– The attack in question, called BLASTPASS, involves sending maliciously-crafted images via iMessage to exploit a vulnerability on fully-patched iPhones running iOS 16.6.
– NSO Group is an Israeli cyberwarfare firm known for its Pegasus spyware, which has been used to spy on high-profile individuals.
– Pegasus spyware can access various forms of data on the victim’s device.
– Apple has released emergency security updates to address these vulnerabilities and users are advised to apply them immediately.
– CISA has listed these vulnerabilities as posing significant risks and has ordered federal agencies to patch their iPhones by October 2nd, 2023.