Apple has released a critical security update for iPhones to address a zero-day bug in iOS 16 that could allow spyware to be installed remotely on a device without any interaction from the iPhone owner. Citizen Lab, a spyware research group, Discovered the exploit last week Immediately notified Apple.
A zero-click zero-day exploit was used to install the NGO group’s Pegasus spyware on an iPhone owned by an employee of a Washington DC-based civil society organization. Pegasus is spyware developed by a private contractor. The spyware infects the phone and returns data including photos, messages and audio/video recordings.
The exploit involves PassKit attachments sent via iMessage
Apple is now Released iOS 16.6.1 Even though iPhone owners are unlikely to be targeted by spyware just days after the exploit was discovered, installing this update is critical. There are still plenty of teams ready to modify iOS security updates to figure out how to exploit this new vulnerability, raising the risk of widespread attacks.
Citizen Lab didn’t provide full details of the vulnerability for obvious reasons, but the exploit involves PassKit — the framework behind Apple Pay and Wallet — sending attachments loaded with malicious images sent via iMessage. “We look forward to publishing a more detailed discussion of the exploitation chain in the near future,” says Citizen Lab.
iOS vulnerabilities have consistently made headlines in recent years, especially when Apple was actively exploiting a security flaw before it was even aware of it. Apple has developed a Rapid Security Response system that can add security fixes to an iPhone without restarting the device.
Importantly, Citizen Lab says that Apple’s Lockdown Mode will protect users against this latest exploit, so if you’re at risk of being targeted by government-sponsored spyware, it’s a good idea to enable this mode.