Researchers at Citizen Lab, at the University of Toronto, discovered a vulnerability in the operating system iOS 16.6 da Apple Lossless Audio CODEC (ALAC), which allows the installation of Pegasus spying software without any direct user action.
The discovery of the vulnerability
The team found traces of Pegasus software on the iPhone of an employee of an “international civil society organization”. They discovered that attackers can access the victim's iPhone and install Pegasus by sending an image via iMessage, without the need for user interaction.
Apple's response
After being alerted, Apple made a security update available to its customers that protects against this vulnerability, known as Blastpass. “It is considered a zero-click vulnerability because there is nothing the victim has to do. No click, no interaction, no mistake is required for the device to be infected,” explained John Scott-Railton, researcher at Citizen Lab.
Recommendations for iPhone users
Citizen Lab recommends that all iPhone users update their devices and anyone who considers that they may have a higher risk of being spied on, use “Lockdown” mode, which prevents the exploitation of this vulnerability.
The role of Citizen Lab
Citizen Lab researchers are experts in investigating the use of technology to violate Human Rights and collaborated on the journalistic project “The Pegasus Project”, which disclosed the illegal use of this software by several states to spy on journalists, politicians and activists.