Apple has issued a critical security update for iPhones to address a zero-day bug in iOS 16 that could allow attackers to remotely install spyware on a device without any interaction from the iPhone owner. Citizen Lab, a spyware research group,and immediately notified Apple.
The zero-click zero-day exploit had been used to installonto an iPhone owned by an employee of a Washington DC-based civil society organization. Pegasus is spyware developed by a private contractor for use by government agencies. The spyware infects a phone and sends back data, including photos, messages, and audio / video recordings.
The exploit involves PassKit attachments sent via iMessage
Apple has nowjust days after the discovery of this exploit and it’s crucial for iPhone owners to install this update, even if they’re not likely to be targeted with spyware. There are still plenty of groups willing to reverse engineer iOS security updates to try and discover how to exploit this new vulnerability, raising the risk of broader attacks.
Citizen Lab hasn’t provided a full breakdown of the vulnerability for obvious reasons, but the exploit involves PassKit — the framework behind Apple Pay and Wallet — attachments that are loaded with malicious images sent via iMessage. “We expect to publish a more detailed discussion of the exploit chain in the future,” says Citizen Lab.
have made in recent , especially ones that have been actively exploited before Apple was aware of the security flaw. Apple has even developed a Rapid Security Response system that can add security fixes to an iPhone without needing to reboot the device.
Crucially, Citizen Lab sayscan protect users against this latest exploit, so if you’re at risk of being targeted by state-sponsored spyware then it’s well worth enabling this mode.