NSO Group appeared to be on the ropes after the publication of the “Pegasus Project” reports in late 2021, which led to a subsequent patch of a zero-click iMessage exploit that its Pegasus spyware relied on to compromise iPhones. NSO appears to have unearthed more zero-days in the interim, however, and Apple has recently announced the patching of another iMessage vulnerability that involved exploitation of image attachments.
Like the prior method used by the Pegasus spyware to attack iOS devices, the new chain of zero-days could be exploited without the victim interacting with anything. They would merely need to be sent malicious image attachments via iMessage. University of Toronto cybersecurity and privacy research group Citizen Lab discovered and disclosed the “BLASTPASS” chain of zero-days in early September after investigating the phone of an employee at a Washington DC-based NGO.
Pegasus spyware returns with a new zero-click targeting iOS
Citizen Lab reports that the new Pegasus spyware zero-click impacts the most recent version of iOS (16.6) and likely prior versions dating back to the iPhone 8. As the moniker suggests, BLASTPASS functions essentially as a rogue wallet pass attachment with malicious images added to it. As with the prior Pegasus attack vector, victims only need to receive this via iMessage to be compromised; they do not need to open the message or interact with it.
Citizen Lab privately disclosed the zero-days to Apple prior to public disclosure, and Apple has patched the issue with iOS 16.6.1 (released roughly a week ago). Citizen Lab says that Apple’s engineering team has verified that Lockdown Mode also nullifies the attack, though this mode put serious limitations on messaging, FaceTime, direct connections to other devices, and more. macOS Ventura 13.5.2 and watchOS 9.6.2 also contain related security updates.
Citizen Lab has promised a forthcoming detailed report on the chain of zero-days, but for now has revealed that the Image I/O and Wallet frameworks are targeted by the zero-click attack. Apple has documented these as CVE-2023-41064 and CVE-2023-41061. The research group has also not yet provided details on the attribution of the attacks to NSO other than that the exploits apparently install other known elements of Pegasus spyware on devices once they are compromised.
Zero-days continue to sneak through BlastDoor sandbox
The other element of the zero-click attack’s moniker refers to Apple’s BlastDoor sandbox inspection system for incoming messages, a security feature introduced in early 2021 in direct response to the initial reports of Pegasus spyware targeting Al-Jazeera reporters. Debuting in iOS 14, BlastDoor was meant to address the seemingly ongoing issue of iMessage’s automatic processing of message attachments being leveraged for the development of zero-days.
The track record thus far is not yet perfect. Though not all relate to iMessage, Apple has issued patches for 13 new zero-days in 2023 prior to the 16.6.1 update to address BLASTPASS. The first big issue with it was a second zero-click from the Pegasus spyware (“ForcedEntry”) appearing just months after it debuted in early 2021. Given that it seems to be the primary attack vector, this has driven some iPhone users to turn off iMessage or even deregister their number from the service entirely. In addition to turning to third-party encrypted messaging apps, SMS remains an option for text messages when iMessage is disabled, though it does not feature automatic encryption and has its own collection of security issues.
John Gallagher, Vice President of Viakoo Labs at Viakoo, advises that Lockdown Mode is really only a necessary step for people that expect to be specific targets of nation-state spying: “That Apple did not push this out using their Rapid Security Response feature is another indication that it is not impacting most people. Patching is always a best practice, but as the threat actors are focused on leveraging zero day exploits to plant spyware the use of Lockdown Mode may be the safest approach.”
Apple’s bug bounty program has also been criticized for offering too little to deter researchers from selling zero-days off to the highest bidder. Zero-days can sell for millions of dollars on the black market, and a zero-click that exploits the latest iOS would likely go for closer to 10 million. It is unknown if NSO Group purchases zero-days for its Pegasus spyware or develops all of them in-house, but world governments with very deep pockets are usually among the biggest bidders for the juiciest zero-click exploits. Contrast that to Apple’s bug bounty program, which only offers a maximum payment of $100,000 unless the issue involves Lockdown Mode or a beta product.
Georgia Weidman, Security Architect at Zimperium, notes that NSO is also far from the only player in the “commercial spyware” space: “When we talk about nation state adversaries, NSO is one of the companies that sells exploits to the nation states. It’s no surprise that they have more, and it will be no surprise that they will have more in the future. The good news about offensive cybersecurity companies is that they treat their exploits as their crown jewels and do not allow them to be widely used and only use them in a targeted fashion. When they slip up and we find out about them, vendors patch, they use their backup set up exploits and we continue the arms race. While there is the case with NSO in particular, there are other groups that are less economically motivated and more interested in creating chaos and disruption. Because the NSO Groups customers are nation states they can afford to hoard exploits that might otherwise net them a million-dollar bug bounty.”
Pegasus spyware has been banned in numerous countries due to a preponderance of use by repressive governments in surveilling journalists, activists and dissidents. The Biden administration banned the US government from using it in March of this year, though a New York Times report indicates that the CIA and FBI were prior customers as of early 2021 (and the FBI admitted it purchased a newer version in 2022, which it said was for internal research rather than field use). Though the NSO Group is not tied to the Israeli government, Israel dictates what countries it may be sold to via its export license system and has been accused of using access to it as a reward for voting with the country’s interests at the United Nations.