Your iPhone Is At Risk Of This New iMessage Hack, Here's How To Protect Your Device
Apple's tightly-controlled ecosystem on its iOS devices keeps most users safe from garden-variety security threats, but it's not infallible. That the iPhone has, at last count, 55% of the American smartphone market share makes it a massive target for bad actors, not just the kinds of malware you think of as threats to most people. One particular threat is the Israel-based NSO Group, a cyber-mercenary firm that specializes in weaponized, targeted spyware. Most infamously, NSO's hacking tools have been tied to the Saudi government's rendition and murder of Washington Post columnist, Jamal Khashoggi.
On Thursday, Citizen Lab announced that it had discovered a new NSO Group exploit in the wild, a zero-click vulnerability that allowed NSO's Pegasus spyware to be installed on the iPhone belonging to "an individual employed by a Washington DC-based civil society organization with international offices." And yes, "zero-click" means exactly what it sounds like it means: This vulnerability requires zero user interaction for the bad actor to make it work. Whatever government entity — Pegasus claims to only sell to governments — is using Pegasus, it just needs to know who the target is to install this vulnerability.
How do I protect my iPhone from the new exploit?
According to Citizen Lab, the new NSO Group exploit — dubbed BLASTPASS by the researchers — involves the attacker using an iMessage account to send their target messages that have malicious image files attached. Apple has today released an iPhone update, iOS 16.6.1, to address the exploit, so running a software update on your device as soon as possible is the first step to closing the loophole that Pegasus found for BLASTPASS. To do this, go to Settings -> General -> Software Update.
Apple has also released updates for iPad, Mac, and Apple Watch, which should also be installed as a matter of urgency.
"Processing a maliciously crafted image may lead to arbitrary code execution," Apple said of the exploit, confirming that it "is aware of a report that this issue may have been actively exploited." Specific to the ImageIO vulnerability described by Citizen Lab, Apple says it was a "buffer overflow issue was addressed with improved memory handling," but also adds that a similar issue in Wallet was "[a] validation issue was addressed with improved logic."
Most people are unlikely to be targets of NSO Group clients and should be fine with the new update. Those at "increased risk" should turn on the iPhone's "Lockdown Mode," Citizen Lab recommended, which is specifically designed to resist Pegasus-style mercenary malware attacks. To do this, go to Settings -> Privacy & Security -> Security -< Lockdown Mode -> Turn On Lockdown Mode -> Turn On Lockdown Mode (again) -> Turn On & Restart. After entering your device passcode, you'll be good to go.
How else can I protect my iPhone from mercenary malware?
More broadly, there are other ways to try to minimize the risk of Pegasus-style spyware from NSO Group and its competitors, which go beyond the obvious steps like being diligent about software updates. A February 2022 Kaspersky Daily blog post includes numerous suggestions, some more surprising than others. Most people probably won't need to go to the extreme of disabling the consistently targeted default apps like Messages and FaceTime, but for those you know they're at risk, such a step might make sense. Other suggestions are more in line with best practices for digital security more broadly, like routing all traffic through a VPN and never clicking on links sent in Messages, particularly unsolicited ones.
A couple of points in particular are a lot less readily apparent. One is that using a different web browser instead of Safari or Chrome helps thwart some attacks despite all iOS browsers using the same WebKit rendering engine. The other is that rebooting your iPhone daily can be a surprisingly robust defense against the likes of Pegasus.
Citing research from both Citizen Lab and Amnesty International, Kaspersky says that Pegasus "often relies on zero-click 0-days with no persistence." This means that a reboot serves to "clean" the phone, so if you reboot daily, the Pegasus user would have to target you with new attacks daily. The blog post notes that Kaspersky saw this work on an infected phone, where, after a few additional attempts, the bad actor gave up since the reboot had kicked them out of the handset.