‘BLASTPASS’ iPhone Exploit — Apple Asleep at the Switch
Yet another iOS zero-day lets NSO’s Pegasus “mercenary spyware” cause chaos.
Apple is under fire yet again for its insecure software. After fixing the 13th zero day of 2023, surely it’s time for someone in Cupertino to wake up?
Yes, there’s another zero-click bug in iMessage. In today’s SB Blogwatch, we eyeroll at Apple’s claim to be more secure than the rest.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Rethinking CLIs.
Zero Click, Zero Day, Zero Clue
What’s the craic? David Horovitz and friends report—“Apple releases major security update”:
“Used to target human rights activists”
The issue was discovered by researchers at … Citizen Lab, who said the software flaw was being “actively exploited” to deliver commercial spyware called Pegasus developed and sold by the Israeli company NSO Group. … Users should “immediately” update their devices [to] iOS 16.6.1.
…
Pegasus … can install itself on a phone without requiring users to click a link, and gives the hacker complete access to the entire contents of the phone, as well as the ability to use its cameras and microphone. … NSO Group has repeatedly denied claims that its spyware has been used to target human rights activists, and says that it only sells to government entities with the approval of the Israeli government.
Where there’s one vuln, there’s often another. Lorenzo Franceschi-Bicchierai digs deeper—“Apple fixes zero-day bugs”:
“Lockdown Mode”
Apple released security updates on Thursday that patch two zero-day exploits … used against a member of a civil society organization in Washington, D.C., according to the researchers. … It appears Apple may have found the second vulnerability while investigating the first.
…
Lockdown Mode, an opt-in mode that enhances some security features and blocks others to reduce the risk of targeted attacks, would have blocked the exploits found in this case. NSO did not immediately respond to a request for comment.
Horse’s mouth? Bill Marczak and chums—“Zero-Click, Zero-Day Exploit Captured in the Wild”:
“Mercenary spyware”
We refer to the exploit chain as BLASTPASS. … The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim. … Apple issued two CVEs related to this exploit chain (CVE-2023-41064 and CVE-2023-41061).
…
We commend Apple for their rapid investigative response and patch cycle, and we acknowledge the victim and their organization for their collaboration. … This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware.
So, well done Apple? Sergiu Gatlan is having none of it:
Since the start of the year, Apple has fixed a total of 13 zero-days: …
CVE-2023-37450 and CVE-2023-38606 in July …
CVE-2023-32434, CVE-2023-32435 and CVE-2023-32439 in June …
CVE-2023-32409, CVE-2023-28204 and CVE-2023-32373 in May …
CVE-2023-28206 and CVE-2023-28205 in April, and …
CVE-2023-23529 in February.
…
CVE-2023-41064 is a buffer overflow triggered when processing maliciously crafted images, while CVE-2023-41061 is a validation issue that can be exploited via malicious attachments. Both allow threat actors to gain arbitrary code execution.
Déjà vu? Same to you. computator feels it too: [You’re fired—Ed.]
That fact that Apple blended iMessages, SMS text messages, and email into an extremely confusing mess may also be the reason for so many security issues related to iMessage. … I find iMessage’s logic and behavior bewildering.
…
For example: If you stop using WhatsApp … nothing bad happens if you try to send messages another way. But if you stop using iMessage, then you can no longer send a normal SMS to someone with whom you’ve communicated before using iMessage. The Messages app will tell you, “You must enable iMessage to send this message,” even if it’s an SMS text message to a normal phone number!
…
[You must] disable iMessage … then sign out of Facetime (who could imagine that as a necessary step?), sign out of iCloud, reboot the iPhone, and wait some minutes to hours to days until you are “deregistered.” … The source code for iMessage must be a nightmare having integrated SMS and email and a new messaging system all together.
Something’s going wrong here. Publius Enigma spins the rotors:
Can someone explain how this is possible with System Integrity Protection and Gatekeeper enabled? I can’t install an unsigned program of my choosing without bypassing Gatekeeper protections, yet malware can be installed via Messages?
We know that things are bad—worse than bad. Erik Beall is as mad as hell and he’s not gonna take this anymore:
The intentionally incompatible iMessage yet again? How many zero days does iMessage have to get before people stop blindly trusting Apple as “more secure”?
…
Given the fact that Apple not only intentionally disables SMS functionality for non Apple recipients [and] has also enabled professional spyware … I don’t think I want any devices with iMessage or FaceTime on my network. … Not that I have much choice given all the friends, family and coworkers who are certain Apple does security for them.
This is the sort of thing Apple used to chide Microsoft about in those super-smug “I’m a Mac; and I’m a PC” ads. Shakrai shakes the tree:
Apple has a better track record than many (COUGH MicrosoftCOUGH) on security, but they also have the largest bullseye on their back. … Every ‘VIP’ user I’ve ever supported uses iPhone, high level elected officials, Fortune 100 CFOs, national security workers, virtually all … carry iPhones with them 24/7.
…
Whether people of that importance should be carrying around complex computers with tens of millions of lines of code (i.e., tens of millions of opportunities for mistakes to be made) is another discussion entirely, but good luck taking it away from them. The American national security apparatus couldn’t part Obama or Trump from their smartphones and POTUS is the fattest intelligence target on Planet Earth.
Speaking of Microsoft, londons_explore makes this comparison:
How many exploits has iMessage had now? Isn’t it time we made first messages from all new contacts plain text only, and all other messages some very restricted subset rather than some crazy extensible system that isn’t so different from ActiveX?
Meanwhile, how did we get here? ACForever explains:
It’s in Apple’s DNA to just suck at software.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Matheus Farias (via Unsplash; leveled and cropped)
