Apple has released a critical security update for iPhones to fix a zero-day bug in iOS 16 that allows attackers to remotely install spyware on a device without any intervention from the iPhone owner. Citizen Lab, a spyware research group, discovered the exploit last week and immediately notified Apple.
The zero-click zero-day exploit was used to install NGO Group’s Pegasus spyware on an iPhone owned by an employee of a Washington DC-based civil society organization. Pegasus is spyware developed by a private contractor for use by government agencies. The spyware infects a phone and sends back data, including photos, messages, and audio/video recordings.
The exploit involves PassKit attachments sent via iMessage
Apple has now released iOS 16.6.1 just days after discovering this exploit, and it’s critical for iPhone owners to install this update, even if they’re not likely to be targeted by spyware. There are still plenty of groups willing to reverse engineer iOS security updates to try and discover how to exploit this new vulnerability, increasing the risk of wider attacks.
Citizen Lab has not provided a full overview of the vulnerability for obvious reasons, but the exploit involves PassKit (the framework behind Apple Pay and Wallet) with attachments loaded with malicious images sent via iMessage. “We expect to publish a more detailed discussion of the chain of exploitation in the future,” says Citizen Lab.
Vulnerabilities in iOS have regularly made the news in recent years, especially vulnerabilities that were actively exploited before Apple became aware of the vulnerability. Apple has even developed a Rapid Security Response system that can add security fixes to an iPhone without restarting the device.
Crucially, Citizen Lab says Apple’s Lockdown Mode can protect users from this latest exploit, so if you’re at risk of being targeted by state-sponsored spyware then it’s definitely worth enabling this mode. to change gear.