A report by Citizen Lab at the University of Toronto revealed that NSO‘s Pegasus spyware had developed three new ways to hack into iPhones by exploiting vulnerabilities in Apple’s operating system. The report found that several members of Mexican civil society, including two human rights activists, had their iPhones infected with Pegasus. The spyware was active on these devices between June and July 2022, and the forensic analysis identified three new zero-click exploits that exploit security vulnerabilities in various iPhone apps and features. These findings demonstrate that U.S. sanctions against the company were ultimately unsuccessful. Despite being blacklisted by the U.S. Department of Commerce in November 2021, NSO successfully exploited at least three zero-click loopholes in iOS 15 and 16. Apple made several changes to address the issue in the iOS 16.3.1 update, released in February 2023, following Citizen Lab’s report.
Citizen Lab’s report also revealed that the latest vulnerability, “PWNYOURHOME,” was a two-step attack targeting the HomeKit functionality built into phones, followed by iMessage. The attackers sent messages through HomeKit to the victim, decoded by their phone. After that, the attackers targeted iMessage. When the victim’s phone decoded the image, it ran malicious code and allowed the attackers to install Pegasus on the phone. However, devices attacked through this vulnerability while in Lockdown Mode display a notification about the intrusion attempt.
The second zero-click, “FINDMYPWN,” was deployed against iOS 15 beginning in June 2022, and it also appears to be a two-step attack that used the Find My feature instead of HomeKit followed by iMessage. The third zero-click, “LATENTIMAGE,” was found to be active in January 2022 on iOS 15, but little is known about this exploit.
Will you offer us a hand? Every gift, regardless of size, fuels our future.
Your critical contribution enables us to maintain our independence from shareholders or wealthy owners, allowing us to keep up reporting without bias. It means we can continue to make Jewish Business News available to everyone.
You can support us for as little as $1 via PayPal at office@jewishbusinessnews.com.
Thank you.
In response to Citizen Lab’s report, NSO denied any wrongdoing and stated that its governmental customers use its technology to fight terrorism and crime worldwide. They also accused Citizen Lab of repeatedly publishing reports that failed to determine the technology in use and refused to share its underlying data.
Citizen Lab’s report reveals the ongoing concerns about using spyware and the need for greater regulation to prevent its misuse. Using spyware to target human rights activists and journalists is a significant violation of privacy and a threat to democratic values. As such, technology companies and governments must work together to ensure that spyware is not used for malicious purposes.
The discovery of new zero-click exploits in Apple’s operating system by Pegasus highlights the need for ongoing vigilance and the development of better security measures to prevent the misuse of spyware. As technology continues to evolve, so will the methods used to exploit vulnerabilities in operating systems and devices. Therefore, it is essential to have continuous research and development efforts to identify and mitigate these vulnerabilities. The fight against spyware and other malicious software is an ongoing battle that requires collaboration between the technology industry, governments, and civil society to protect the privacy and individual freedoms.
the issue of spyware and its potential misuse continues to be an ongoing concern. It is a constantly evolving threat that requires ongoing research, development, and collaboration. While steps have been taken to address the vulnerabilities in Apple’s operating system that Pegasus exploited, new vulnerabilities may be discovered in the future that could be exploited by other types of spyware or malicious software.
Moreover, using spyware to target human rights activists, journalists, and other vulnerable groups is a significant concern that highlights the need for greater accountability and oversight in using these technologies. Therefore, governments, technology companies, and civil society must work together to ensure that the development and deployment of spyware are subject to strict regulations and oversight to prevent its misuse. Only through continued efforts and collaboration can we hope to address the threat posed by spyware and protect individual privacy and freedoms.
