The exploit is called Blastpass and uses Pegasus spyware from NSO Group to read a target’s text messages, view their photos, and listen to calls. The malware was discovered by the Citizen Lab in the Munk School of Global Affairs & Public Policy at the University of Toronto, with researchers notifying Apple of the “zero-click, zero-day” exploit. Citizen Lab first spotted Blastpass on the phone of an unnamed Washington D.C. employee at a civil society organization with international offices. Blastpass can attack any phone running iOS 16.6 “without any interaction from the victim” says CitizenLab.
Apple did not immediately return Gizmodo’s request on the exploit.
Citizen Lab says that the Blastpass is delivered to a victim’s phone via images that are attachments to PassKit, which is a suite of code that allows developers to access Apple Pay infrastructure for their apps. Those images are sent from a phony iMessage account, and when the iPhone processes that image, the hacker has free reign over the victim’s device. CitizenLab is (obviously) keeping details light, but is expected to release a more in-depth report on the exploit in the future.
Per Apple’s security release, those using iPhone 8 or later and running iOS 16.6 should update their phone to the newly released iOS 16.6.1. The exploit can also attack all models of the iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. Likewise, Citizen Lab says that users can activate Lockdown Mode on their iPhones, which can block the attack as confirmed to the lab by Apple.