NSO used three new iOS zero-click exploits to distribute spyware in 2022

Spread the love

Israeli spyware maker NSO Group developed three new zeroclick exploits in iOS 15 and 16 last year to spread spyware. This is evident from research by The Citizen Lab. NSO Group would use vulnerabilities in HomeKit and Apple’s Find My function for this.

In total, NSO Group deployed at least three new exploit chains for its spyware last year, writes human rights organization The Citizen Lab. These are zero-click exploits, which require no intervention from the victim. The research institute began an investigation into NSO Group’s new activities in October 2022, in collaboration with the Mexican organization R3D. A number of Mexican activists who speak out against human rights violations by the Mexican army have reportedly been infected with the Pegasus spyware through new exploits.

PwnYourHome on iOS 15 and 16

One of the new exploits involves an iOS zeroclick called PwnYourHome. This vulnerability has been used against iOS 15 and iOS 16 since October 2022, the Canadian research institute reports. This is a new attack chain that can be exploited in two steps. The first step focuses on crashing the HomeKit daemon. Step two targets iMessage through the MessagesBlastDoorService process. The phone would then download a PNG image, after which this process would also be closed. The PwnYourHome exploit eventually manages to escape the BlastDoor sandbox and enable the Pegasus spyware via the media serverd process.

Source: The Citizen Lab

The PwnYourHome vulnerability could also be exploited if a victim has never created a home in HomeKit, but would log the attacker’s email address in certain cases. Apple’s lockdown mode in iOS, which is aimed at users at increased risk of targeted cyber attacks, appears to protect users from PwnYourHome. This mode makes signs of a hacking attempt visible to the user. The Citizen Lab has seen no evidence of successful PwnYourHome attacks on iPhones in lockdown mode. Apple fixed the HomeKit issue in iOS 16.3.1.

FindMyPwn and LatentImage on iOS 15

A second zeroclick exploit, called FindMyPwn, is a zeroday that was deployed against iOS 15 and takes advantage of Apple’s Find My feature. The Citizen Lab writes that this exploit can also be exploited in two steps. This starts with closing and restarting the fmfd process, which is used with iPhones’ built-in Find My functionality. After that happens, according to The Citizen Lab, phone logs indicate that the MessageBlastDoorService process restarted. This indicates that the vulnerability also uses iMessage to install Pegasus spyware.

The Citizen Lab later also came across traces of an initial zero-click that NSO Group used last year. This is called LatentImage and also appears to use Find My, although this exploit works differently than FindMyPwn. According to The Citizen Lab, LatentImage appears to leave few traces on an infected device. The exploit shuts down and restarts the fmfd process, although the attack vector for this is unclear. LatentImage is also used to install the Pegasus spyware. The exploit was identified by The Citizen Lab on a single target’s device running iOS 15.1.1.

NSO Group controversy

The Citizen Lab has shared its findings with Apple. A spokesperson for the tech giant tells The Wall Street Journal that the vulnerabilities affected “a very small number” of its customers. The Citizen Lab recommends that users who are at increased risk of targeted hacking attacks use Apple’s lockdown mode.

NSO Group’s spyware has been controversial for some time. In 2021, various journalistic media and human rights organization Amnesty International concluded that the spyware was used in hacking attempts on at least 37 journalists and activists. The Citizen Lab already claimed in 2020 that at least 36 journalists from Al Jazeera and the British Al Araby TV had been attacked with the Pegasus malware. NSO Group is now on the US blacklist, which means that only American companies with a special permit are allowed to do business with NSO Group. The European privacy regulator previously advocated a ban on Pegasus in the EU. NSO is also currently being sued by Apple, WhatsApp and news medium El Faro.

Apple’s lockdown mode in iOS shows a PwnYourHome attempt. Source: The Citizen Lab

You might also like
Exit mobile version