Apple has released a critical iOS 16 security update for iPhones and iPads to patch a particularly malicious bug that could allow a hacker to take over your device with no action on your part. The "zero-click, zero-day" exploit allows attackers to install NSO Group's Pegasus spyware, which could let them read a target's text messages, listen in on calls, pilfer and transmit images, track their location and more.
The exploit (referred to as "Blastpass") was first discovered by Citizen Lab, which immediately disclosed it to Apple. It was reportedly used to install Pegasus onto the iPhone of an employee from a Washington DC-based organization. It's capable of compromising devices running the latest 16.6 version of iOS "without any interaction from the victim," the group wrote.
Apple has released iOS 16.6.1 to counter the vulnerability, stating simply that "a maliciously crafted attachment may result in arbitrary code execution." In addition, Citizen Lab even advised "all at-risk users to consider enabling Lockdown Mode as we believe it blocks the attack." It's believed that the attack involved PassKit (an SDK that allows developers to put Apple Pay in their apps), hence the Blastpass name, along with malicious images sent by iMessage. For obvious reasons, Citizen Lab didn't release any other details.
Lockdown mode is a recent iOS feature designed to severely restrict the functions of Apple devices and is aimed at a "very small number of users who face grave, targeted threats to their digital security," Apple has stated. The company has faced a number of threats of late, including a vulnerability from February 2023 that "may have been actively exploited," Apple said at the time.
The exploit also brings Pegasus back into the news, following a ban by the Biden administration earlier this year. Developed by the Israel-based cyber-arms company NSO Group, it created a furor after it was used by multiple nations to spy on journalists, activists and others. In one notorious case, it was reportedly used by Saudi Arabia to spy on journalist Jamal Kashoggi, who was later murdered in Turkey.
This article originally appeared on Engadget at https://www.engadget.com/update-your-iphone-now-to-patch-a-major-pegasus-vulnerability-114009683.html?src=rss