If you own any Apple hardware, it’s time for a quick software update. Researchers at The Citizen Lab have discovered a zero-day exploit that allows hackers to install malware on an iPhone without any interaction from the victim. This exploit has already been used to distribute NSO Group’s Pegasus spyware. To address the vulnerability, Apple is pushing security updates to the iPhone, Mac, iPad, and Apple Watch.
This particular “exploit chain” takes advantage of Apple’s PassKit API. As such, The Citizen Lab refers to it as “BLASTPASS,” though it’s registered under CVE-2023-41064 and CVE-2023-41061. While the dirty details of BLASTPASS are unknown, The Citizen Lab confirms that it’s a zero-click exploit — malicious images are sent to a victim through iMessage, and without any interaction, the images install malware on the victim’s iPhone.
The Citizen Lab discovered BLASTPASS while investigating the origin of Pegasus spyware on a “Washington DC-based civil society organization” worker’s device. As you may know, Pegasus is a mercenary spyware developed by the Israel-based NSO Group and sold to government organizations. It’s described as an anti-terrorism or wartime tool, though it’s regularly used to target dissidents, journalists, activists, politicians, and other people of interest. Apple has repeatedly criticized (and even sued) NSO Group for selling this spyware, and it created a Lockdown Mode to protect potential victims from Pegasus on iPhone, Mac, iPad, and Apple Watch. (In conversation with The Citizen Lab, Apple claims that BLASTPASS cannot get around Lockdown Mode.)
Ordinary people shouldn’t worry too much about Pegasus spyware—it’s only been used to target the “enemies” of certain governments. And, for the record, Lockdown Mode makes your devices near-useless and shouldn’t be used outside of extreme circumstances. But the BLASTPASS exploit is concerning, as it may be used by small-time hackers to distribute any form of malware. Updating your Apple devices will patch BLASTPASS and protect you from this zero-click exploit.
At the time of writing, this patch is only available on current-gen Apple firmware releases (iOS 16, macOS 13, etc). The update versions are as follows—iOS 16.6.1, macOS 13.5.2, iPadOS 16.6.1, and watchOS 9.6.2—if your Apple devices do not prompt you to update, you must trigger a manual update by entering Settings, clicking “General,” and selecting “Software Update.”
Source: The Citizen Lab via Ars Technica