The infamous Pegasus spyware appeared as if it might be on the way out since it started receiving high-profile media attention in 2021, with owner NSO Group reportedly floundering for funding at one point. However, it appears to have quietly regrouped with a set of zero-click zero-days to replace the former exploit used to break into iPhones with relative ease.
Despite Apple’s increased attention to bolstering iMessage against these sorts of zero-click attacks, the new Pegasus spyware zero-days are once again able to exploit target phones without the user clicking on or interacting with a message in any way. The new BLASTPASS exploit was uncovered by Toronto’s Citizen Lab research group, and Apple has since issued a patch to put an end to the new vulnerability.
New zero-days from NSO compromise most recent version of iOS with zero-click capability
Apple has been aware of the potential for iMessage to be exploited by zero-click attacks since even before the prior “ForcedEntry” Pegasus spyware exploits were uncovered, and seemingly implemented its “BlastDoor” message scanning security system expressly for that purpose. However, attackers seem to continue to tease out zero-days in the brand that prides itself as the standard for device security.
Updating to iOS 16.6.1 will cut off the chain of zero-days that the Pegasus spyware now uses, but devices as far back as the iPhone 8 are likely vulnerable. Those that might have older devices that cannot be updated may have to disable iMessage to be safe at this point, if they have not done so already. The other option for cutting off these zero-click attacks is to keep an iPhone in Lockdown Mode, though that reduces functionality.
The new Pegasus spyware exploits are not likely a general threat, as NSO Group only sells directly to national governments. It is supposed to have rules about not selling to governments that might abuse the software for purposes other than legitimate law enforcement, but the “Pegasus Papers” leaks revealed that it is not particularly discerning about whom it sells to or proactive about ensuring that it is not abused.
Pegasus spyware seemingly cannot be kept down
The new zero-click leverages Image I/O and Wallet framework vulnerabilities that allow for high-level compromise of a device upon receiving a message, without interacting with anything in it or even opening it; the prior ForcedEntry exploit worked in a very similar way.
Apple released the 16.6.1 security update with the BLASTDOOR patch just prior to Citizen Lab’s disclosure of the zero-days, but users that are not right on top of new updates may not have gotten to it just yet. People are unlikely to be targeted unless a particular government client of NSO has an interest in surveilling them, but will need to update to the most recent iOS (or cut off iMessage in some way) to ensure that they cannot be compromised by the zero-click attack. The patch is also in the most recent versions of macOS Ventura and watchOS.