In 2022, NSO deployed three new iOS zero-click exploits to spread spyware
Israeli spyware maker NSO Group developed three new zero-click exploits in iOS 15 and 16 last year to distribute spyware. This is according to research by The Citizen Lab. NSO Group would use vulnerabilities in HomeKit and Apple’s Find My function for this.
In total, NSO Group deployed at least three new exploit chains for its spyware last year, writes human rights organization The Citizen Lab. These are zero-click exploits, which do not require any intervention from the victim. The research institute started an investigation into the new activities of NSO Group in October 2022, in collaboration with the Mexican organization R3D. A number of Mexican activists who speak out against human rights violations by the Mexican army are said to have been infected with the Pegasus spyware through new exploits.
PwnYourHome on iOS 15 and 16
One of the new exploits involves an iOS zeroclick called PwnYourHome. That vulnerability has been deployed against iOS 15 and iOS 16 since October 2022, reports the Canadian research institute. It is a new attack chain that can be exploited in two steps. The first step focuses on crashing the HomeKit daemon. Step two targets iMessage through the MessagesBlastDoorService process. The phone would then download a png image, after which this process would also close. The PwnYourHome exploit eventually manages to escape the BlastDoor sandbox and power up the Pegasus spyware via the mediaserverd process.
Source: The Citizen Lab
The PwnYourHome vulnerability could also be exploited if a victim has never created a home in HomeKit, but would log the attacker’s email address in certain cases. Apple’s lockdown mode in iOS, which targets users at increased risk of targeted cyberattacks, appears to protect users from PwnYourHome. This mode makes signs of a hacking attempt visible to the user. The Citizen Lab has seen no evidence of successful PwnYourHome attacks on iPhones in lockdown mode. Apple fixed the HomeKit issue in iOS 16.3.1.
FindMyPwn and LatentImage on iOS 15
A second zero-click exploit, called FindMyPwn, is a zero-day deployed against iOS 15 that uses Apple’s Find My feature. The Citizen Lab writes that this exploit can also be exploited in two steps. This starts with closing and restarting the fmfd process, which is used with iPhones built-in Find My functionality. After that happens, according to The Citizen Lab, phone logs indicate that the MessageBlastDoorService process has restarted. This indicates that the vulnerability also uses iMessage to install Pegasus spyware.
The Citizen Lab later also came across traces of an initial zero-click used by NSO Group last year. This one is called LatentImage and also appears to use Find My, although this exploit works differently than FindMyPwn. LatentImage appears to leave few traces on an infected device, according to The Citizen Lab. The exploit shuts down and restarts the fmfd process, though it’s unclear what the attack vector for that is. LatentImage is also used to install the Pegasus spyware. The exploit was identified by The Citizen Lab on a single target’s device, which was running iOS 15.1.1.
Speech NSO Group
The Citizen Lab has shared its findings with Apple. A spokesman for the tech giant tells The Wall Street Journal that the vulnerabilities affected “a very small number” of its customers. The Citizen Lab recommends that users who are at increased risk of targeted hacking attacks use Apple’s lockdown mode.
The spyware of NSO Group has been discredited for some time. In 2021, various journalistic media and human rights organization Amnesty International concluded that the spyware was used in hacking attempts on at least 37 journalists and activists. The Citizen Lab already claimed in 2020 that at least 36 journalists from Al Jazeera and the British Al Araby TV would have been attacked with the Pegasus malware. NSO Group is now on the US blacklist, which means that only US companies with a special permit are allowed to do business with NSO Group. The European privacy regulator previously argued for a ban on Pegasus in the EU. NSO is also currently being sued by Apple, WhatsApp and news medium El Faro.
Apple’s lockdown mode in iOS shows a PwnYourHome attempt. Source: The Citizen Lab