Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Pegasus had three ways to hack iPhones without the owner tapping

NSO Group, makers of spying tool Pegasus

Pegasus, the spyware used by governments to secretly break into iPhones of journalists and political opponents, used three zero-click exploits affecting iOS 15 and iOS 16 in Mexico in 2022.

NSO Group is the infamous creator of Pegasus, a surveillance tool sold to governments and law enforcement agencies around the world to spy on people's devices. Famously used to hack the iPhones of human rights activists and journalists, the spyware is a major threat to the security and privacy of people who are of interest to NSO Group's clients.

While previously Pegasus was found to be using zero-click exploits to defeat the security of iOS 14, Citizen Lab has discovered instances where three more zero-click exploits. This time, the three were used to infiltrate iPhones running iOS 15 and iOS 16.

The group found the new exploits in October 2022, as part of an investigation with the Mexican digital human rights organization Ren ed Defensa de los Derechos Digitales. Examining iPhones used by human rights defenders in Mexico, the three exploits were discovered as brand new ways Pegasus was able to infect devices.

The attacks were found in some cases to coincide with 2022 events in the "Ayotzinapa case," referring to the disappearance of students protesting teacher hiring practices in 2015. Human rights organization Centro PRODH and Mexican legal aid members were targeted in the new wave of infections throughout 2022.

Three iPhone zero-click exploits

The first exploit, titled "FINDMYPWN," was found to work against iOS 15.5 and iOS 15.6 and used an fmfd process associated with Find My. With the process exiting and relaunching, it was observed that the exploit caused an item to be written and deleted inside a cache directory associated with Find My.

Relatively little information has been released about the exploit, in part because research is ongoing, but also for continued research. Indicators of an infection are not being released as Citizen Lab believes there are efforts by NSO Group to evade detection, and providing such details would aid the spyware producer.

A second exploit called "PWNYOURHOME" is a two-phase zero-click exploit, where each phase targets different processes. A daemon crash in HomeKit was used in a first phase, followed by downloading PNG images from iMessage that crashes BlastDoor.

It is unclear how the exploit escapes the BlastDoor sandbox, but it is known that the exploit does eventually launch Pegasus via mediaserverd.

CitizenLab disclosed the HomeKit issue to Apple, which then resulted in a fix in iOS 16.3.1.

It does appear that Lockdown Mode in iOS warns users of attempts to attack the iPhone using the exploit, by displaying notifications that attempts were made to access a Home. However, as there are no indications NSO has stopped deploying the exploit, it may be the case that NSO has figured out how to avoid triggering the notifications.

After discovering both of the exploits, a third was discovered after the team rechecked forensic analysis for earlier cases. Dating back to January 2022 and affecting iOS 15, the exploit was dubbed "LATENTIMAGE" due to leaving "very few traces" on a device.

It is believed the exploit uses Find My, though Citizen Lab couldn't determine if it was the initial attack vector.

A continuing threat

Pegasus continues to be a threat, according to Citizen Lab, due to the evolution of the attacks. Two of the three are the first zero-click exploits the team observed that uses two separate remote attack surfaces on the iPhone.

"As we noted in this report, NSO Group's escalating efforts to block researchers and obscure traces of infection, while still ultimately unsuccessful, underline the complex challenges of these sorts of investigations, including balancing the publication of indicators while maintaining the ability to identify future infections," Citizen Lab writes.

For high-risk users, Citizen Lab offers they should enable Lockdown Mode, due to the "increased cost incurred on attackers."

AppleInsider also highly recommends habitually updating devices when new software updates are released. Since they include bug fixes and security updates, it is better to go with the latest protection than not.