Elevated Threats to Public Cloud and Civilian Devices: The Evolving Landscape of Apple Device Exploits
For a long time, Apple's reputation stood as the pinnacle of cybersecurity. Its operating systems and apps were commonly perceived as nearly invulnerable to cyber threats. However, a recent security update for Apple products—including iPhones, iPads, Mac computers, and Apple Watches—suggests otherwise. We strongly recommend users promptly update their devices and consider activating Lockdown Mode to counter potential threats.
The BlastPass Incident: A Wake-Up Call
Citizen Lab, a nonprofit organisation, recently unearthed a sophisticated exploit chain named "BlastPass." This discovery came while inspecting a device belonging to an employee of a Washington D.C.-based international civil society organisation. Citizen Lab reported the vulnerabilities to Apple, which swiftly issued two CVEs to address the issues:
The company has since released a fix via an update.
Not an Isolated Case: A Pattern of Vulnerabilities
Not an Isolated Case: A Pattern of Vulnerabilities
In the past half-decade, a rising tide of attacks has been noted on civilian networks and mobile devices, with Apple devices now emerging as prime targets. Two pivotal incidents in 2019 shattered the illusion of Apple's invincibility against cyber threats. One involved a flaw in WhatsApp that allowed hackers to install malware on smartphones, including iPhones. Another significant event was unearthed by Google researchers, who discovered a large-scale iPhone exploit aimed at Uighur Muslims in China. Apple patched both vulnerabilities by the time they came to public attention.
The BlastPass Exploit: A Deep Dive
Known as "BlastPass," this exploit chain was designed to compromise iPhones operating on the latest iOS version (16.6) without any user interaction. Malicious images were sent via PassKit attachments from an attacker's iMessage account to the victim. Further details are expected to be released in a future publication. Citizen Lab's prompt disclosure to Apple played a critical role in the rapid issuance of CVEs and updates to fix the vulnerabilities.
NSO Group and the Larger Cyber Threat Landscape
NSO Group, a commercial spyware developer operating in a legal grey zone, was identified as the source of the Pegasus mercenary spyware deployed via the zero-click vulnerability. Both Apple and Meta are currently suing NSO Group for similar spyware attacks. Additionally, the Biden administration added NSO Group to an export blacklist in 2021. However, other companies offer comparable services globally.
Immediate Actions Recommended
We urge users to update their devices as soon as possible. For those who are at greater risk due to their profession or identity, activating Lockdown Mode is advised. Apple’s Security Engineering and Architecture team has confirmed that this feature effectively blocks the BlastPass attack.
The Value of Protecting Civil Society
The BlastPass incident underscores the need to bolster the cybersecurity defences of civil society organisations. Apple’s recent update will fortify devices across the board—from average consumers to enterprises and governments.