Apple released security updates on Thursday that patch two zero-day exploits — meaning hacking techniques that were unknown at the time Apple found out about them — used against a member of a civil society organization in Washington, D.C., according to the researchers who found the vulnerabilities.
Citizen Lab, an internet watchdog group that investigates government malware, published a short blog post explaining that last week they found a zero-click vulnerability — meaning that the hackers’ target doesn’t have to tap or click anything, such as an attachment — used to target victims with malware. The researchers said the vulnerability was used as part of an exploit chain designed to deliver NSO Group’s malware, known as Pegasus.
“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab wrote.
Once they found the vulnerability, the researchers reported it to Apple, which released a patch on Thursday, thanking Citizen Lab for reporting them.
Based on what Citizen Lab wrote in the blog post, and the fact that Apple also patched another vulnerability and attributed its finding to the company itself, it appears Apple may have found the second vulnerability while investigating the first.
When reached for comment, Apple spokesperson Scott Radcliffe did not comment and referred TechCrunch to the notes in the security update.
Citizen Lab said it called the exploit chain BLASTPASS, because it involved PassKit, a framework that allows developers to include Apple Pay in their apps.
“Once more, civil society, is serving as the cybersecurity early warning system for... billions of devices around the world,” John Scott-Railton, a senior researcher at the internet watchdog Citizen Lab, wrote on Twitter.
Citizen Lab recommended all iPhone users to update their phones.
Scott-Railton also said that he and his colleagues, as well as Apple's Security Engineering and Architecture team, believe that Lockdown Mode, an opt-in mode that enhances some security features and blocks others to reduce the risk of targeted attacks, would have blocked the exploits found in this case.
NSO did not immediately respond to a request for comment.
UPDATE, Friday Sept. 8, 10:26 a.m. ET: This story was udpdated to add the paragraph about Lockdown Mode.
Do you have more information about NSO Group or another surveillance tech provider? Or information about similar hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email firstname.lastname@example.org. You can also contact TechCrunch via SecureDrop.