According to an analysis, the monitoring software came to iPhones via system services such as HomeKit and iMessage. But Apple’s lockdown mode can protect.
The company NSO Group is obviously not running out of vulnerabilities that can be used to hack iPhones: in the past year alone, at least three new exploit chains were used to inject the notorious Pegasus spyware on devices with iOS 15 and iOS 16, such as the one used to University of Toronto-based Citizen Lab sets out in a new analysis. These were zero-click exploits, so users do not have to be persuaded to tap a manipulated link first. According to Citizen Lab, traces of the spyware were found, among other things, on the iPhones of two Mexican human rights activists.
From Home to iMessage: Multi-stage exploit
Apparently, the spyware used default active invite features in Apple services, including “Find My?” and Apple Home, or a process that belongs to Apple’s HomeKit smart home protocol – both in a two-stage process in conjunction with iMessage. Apple’s messaging service has been the gateway for surveillance software in the past, as have other messengers like WhatsApp.
The spyware was able to successfully infiltrate iPhones with iOS 15.5, iOS 15.6, and finally iOS 16.0.3 via a combination of security gaps in iOS that are probably only known to the NSO Group. According to the analysis, the exploit, dubbed “PWNYOURHOME”, first
homedexploited a vulnerability in the system process associated with Apple Home and then used a downloaded iMessage image attachment to trigger a crash in the iMessage process “MessagesBlastDoorService” in order to execute the malicious code.
Citizen Lab writes that this also worked if the user did not use Apple’s smart home functions at all and never set up Apple Home. The researchers also passed their findings on to Apple, which manufacturer then better secured its operating system in this respect with changes to HomeKit in version iOS 16.3.1.
Lockdown mode new in iOS 16
If Apple’s new lockdown mode (“blocking mode”) introduced with iOS 16 was active, the user received a notification of the attack – and no evidence was found that the device was successfully compromised. The mode turns off various services, including the apparently exploited invitation functions and sharing functions. In addition, Citizen Lab has not seen any successful infection with PWNYOURHOME since iOS 16.1. The current version is iOS 16.4.1, so users should make sure that their devices are always up to date with the latest software.
An Apple spokesman told the Washington Post that the attacks would only affect “a very small number” of customers and that Apple would add additional security features. Citizen Lab advises users who are potential victims of government spyware attacks to enable block mode. Although this makes using the iPhone more inconvenient, it also increases the costs for attackers.