Digital watchdog Citizen Lab said it identified the flaw while checking a Washington DC-based civil society organisation employee’s Apple device.
Apple has released an urgent security update that patches zero-day vulnerabilities related to Pegasus spyware.
According to researchers at Citizen Lab, a digital watchdog group based at the University of Tornoto, a newly discovered flaw in Apple devices had been exploited to infect them with Pegasus spyware related to Israeli firm NSO.
The “zero-click” vulnerability, which means that users do not need to click on a link or do anything to have the spyware installed on their iPhones or iPads, was identified last week while checking a Washington DC-based civil society organisation employee’s device.
Referring to the exploit as Blastpass, Citizen Lab said that the exploit chain was capable of compromising iPhones running the latest version of iOS (16.6 at the time). Now, Apple has fixed the flaw with the release of iOS and iPadOS 16.6.1 yesterday (7 September).
🚨 Update your @apple products immediately!
(No clicking required to infect latest iOS!)
Found while checking civil society.
— John Scott-Railton (@jsrailton) September 7, 2023
Israel’s NSO Group develops surveillance technology that can be used to track targeted iOS and Android users. It claims its products are used by government intelligence and law enforcement agencies to prevent and investigate serious crime and terror incidents.
But the group made headlines in 2021 when an investigation claimed the Pegasus spyware was abused and used to target journalists, activists and government officials. Soon after, Apple sued NSO in a bid to “hold it accountable for the surveillance and targeting of Apple users”.
“Once more, civil society is serving as the cybersecurity early warning system for … billions of devices around the world. Including you, if you’re reading this on your iPhone. Or Mac,” John Scott-Railton, a senior researcher at Citizen Lab, posted on X.
“Update your iPhone right away. And then, if you are at risk because of who you are or what you do, enable lockdown mode.”
Apple developed the ‘lockdown mode’ for its devices last summer to give extra security to users who are more susceptible to targeted spyware cyberattacks by authoritarian governments and criminals using spyware such Pegasus or Italian spyware Hermit.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.