Apple urges security update after NSO’s zero-click spyware hacked US iPhone

The blacklisted Israeli spyware maker NSO Group is behind a piece of powerful malware found on the iPhone of a D.C.-based civil society worker, researchers said Thursday, prompting Apple to push out security updates for all of its mobile and desktop systems.

“We urge everyone to immediately update their devices,” said researchers with Toronto-based Citizen Lab.

The security gap, along with another vulnerability discovered by Apple, could be used by NSO’s flagship spyware Pegasus to surreptitiously gather everything on the target’s device—evading the encrypted protections of messaging apps like Signal or WhatsApp—even if they never clicked a link or installed software. 

“Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, [we] found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware,” researchers for Citizen Lab said in its report. The exploit “was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.”

Malicious use of ApplePay and images

The first vulnerability, CVE-2023-41064, relates to a validation problem in the Wallet framework and can be exploited if a device is sent a “maliciously crafted attachment.” Citizen Lab called the exploit chain BLASTPASS, because it involved PassKit, a framework that allows developers to include Apple Pay in their apps. 

The second vulnerability, disclosed by Apple as CVE-2023-41061, is a buffer overflow issue in the Image I/O framework that can be attacked when processing “a maliciously crafted image,” Apple said. 

Citizen Lab said it had “immediately disclosed our findings to Apple and assisted in their investigation.” Apple said in a statement it was “aware of a report that this issue may have been actively exploited,” but declined to comment more. The company has previously touted a system to send alerts to users impacted by government-backed hacking campaigns.

Citizen Lab also said it encourages “everyone who may face increased risk because of who they are or what they do to enable Lockdown Mode,” an iOS and MacOS feature that implements additional security features. Apple’s Security Engineering and Architecture team confirmed to Citizen Lab that the setting blocks this particular attack.

Apple issued its new security patches—for iOS, macOS Ventura, iPadOS and watchOS—as part of regular updates, not as a Rapid Security Response, the term Apple uses for urgent bug fixes. Including the new Pegasus exploits, the company has now patched 13 zero-days in 2023. 

“This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware,” Citizen Lab wrote. “Apple’s update will secure devices belonging to regular users, companies and governments around the globe. The BLASTPASS discovery highlights the incredible value to our collective cybersecurity of supporting civil society organizations.”

The secretive Herzliya-based company designed Pegasus to be delivered to unsuspecting targets’ iPhones through innocuous-looking links, messages, or WhatsApp calls; without users’ knowledge, their phones could be quietly owned by high-paying government clients. NSO says it only sells Pegasus and other weapons to vetted law enforcement agencies, and has no visibility into its clients’ targets, but it has a history of selling to governments with dubious rights records. Its zero-click spyware has been found on the phones of government officials, human rights workers, journalists, activists, academics, and business people from the UAE to Mexico and the U.S. In 2018, Pegasus was reportedly used by Saudi Arabia to target Washington Post journalist Jamal Khashoggi ahead of his state-ordered killing.

In May, researchers from Amnesty International and other advocacy groups alleged that Pegasus was used to target several dozen Armenian activists’ and journalists’ smartphones during the country’s conflict with Azerbaijan between 2020 and 2022. Some of the hacking allegedly occurred after NSO was put on a U.S. blacklist in 2021. Other NSO exploits in Apple software were discovered by Citizen Lab in April.

Following dogged research by Citizen Lab, tech companies, and journalists, regulators have attempted to prevent the spread of Pegasus, with the European Parliament urging EU member nations to ban it. EU lawmakers last year opened a spyware inquiry after Pegasus was found on phones associated with the British and Spanish prime ministers, Spain’s defense minister, and dozens of Catalan politicians and members of civil society groups. In August, Israel said it had set up a commission to investigate whether police had misused spyware, including Pegasus, during criminal investigations.

On Thursday, a Polish government commission said spyware like Pegasus was illegal, following an 18-month investigation into allegations that the government used NSO’s tools to spy on politicians ahead of the country’s 2019 elections.

Amid reports of NSO selling its tools to U.S. agencies, the White House blacklisted the company in November 2021, banning any transfer of U.S. technology to NSO. A month later, its spyware was found on the phones of at least nine U.S. State Department employees. 

The company also faces a growing slate of lawsuits. A new lawsuit filed by Hanan Elatr, Khashoggi’s widow, accuses NSO of breaking U.S. hacking laws, saying the spyware “caused her immense harm, both through the tragic loss of her husband and through her own loss of safety, privacy, and autonomy, as well as the loss of her financial stability and career.”

Other powerful foes are pursuing NSO. Apple itself filed suit in November 2021 over Pegasus attacks, and in January, the Supreme Court denied a petition to block a lawsuit filed by Meta over NSO’s hacking of WhatsApp.

Still, NSO has continued to develop its spyware as it reshapes its business with a renewed hope for profitability.

In May, its lenders, including Credit Suisse and Senator Investment Group, forced a change of control at NSO and foreclosed on its Luxembourg-based parent company, according to the Wall Street Journal. That wiped out its previous owners, including a private-equity fund started by Novalpina Capital that bought the company in a deal that valued it at roughly $1 billion in 2019. 

The company’s lenders have been working with Omri Lavie, a co-founder of NSO, and, according to corporate filings, a Luxembourg holding company controlled by Lavie, Dufresne Holdings, is now listed as the sole shareholder of NSO’s parent company. Lavie has also reportedly taken charge at NSO, firing a number of directors and officers. 

Seeing promise in the company’s technology, its lenders reportedly agreed not to call NSO in default for failing to pay debts to them since the 2021 blacklist and have since lent millions of more dollars to help pay NSO’s expenses. 

NSO did not immediately respond to a request for comment.

NSO’s possible turnaround reflects an industry that’s still growing in the shadows. In May, the Financial Times reported that the U.S. Drug Enforcement and Administration Agency is among the top customers of Paragon, which produces a Pegasus-like tool called Graphite. The Israeli company also reportedly sought U.S. guidance on its target customer list. Sources told the Financial Times that 35 countries were approved, mostly in Europe and Asia.

Zero-click exploits are among the highest-prized among cyber mercenaries and government-backed hackers. iOS exploits tend to be harder to come by, but on Zerodium, an exploit marketplace, an Android zero-click can now fetch up to $2,500,000, about $500,000 more than the price of a similar iOS exploit.

Apple, which is preparing to launch a new iPhone next week, is also grappling with a separate security-related crisis: on Wednesday, it emerged that several Chinese government agencies had moved to ban Apple’s iPhones from their workplaces over security concerns.