Zero-Click Exploits Against iOS 16
Our ensuing investigation led us to conclude that, in 2022, NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world.
NSO Group’s third and final known 2022 iOS zero-click, which we call “PWNYOURHOME,” was deployed against iOS 15 and iOS 16 starting in October 2022. It appears to be a novel two-step zero-click exploit, with each step targeting a different process on the iPhone. The first step targets HomeKit, and the second step targets iMessage.
[…]
Logs from another PWNYOURHOME-exploited device from the 2022 global target pool examined in the course of this investigation showed the homed process decoding what appears to be an unusual NSKeyedUnArchiver when it crashed.
It sounds like Apple was not using NSSecureCoding.
Logs from yet another PWNYOURHOME-exploited device from the 2022 target pool show that, following the homed phase of PWNYOURHOME, the phone downloaded PNG images from iMessage. Processing these images caused crashes in the MessagesBlastDoorService process. These crashes give us glimpses of what the exploit was doing at various stages, and suggest that the exploit may have circumvented pointer authentication codes (PAC) in some cases by repurposing PAC-valid pointers already present in memory, such as signed pointers to callback functions present in constant structs.
One interesting bit is that Apple’s Lockdown Mode (part of iOS 16) seems to have worked to prevent infection.
What follows is a writeup of the kernel bugs NSO Group’s Pegasus spyware exploited in iOS 9, specifically versions 9.3.4 and earlier. The spyware was discovered and the vulnerabilities patched roughly six years ago.
Previously:
- Lockdown Mode in iOS 16.4 Breaks Web Forms
- Lockdown Mode
- Apple Sues NSO Group
- Zero-click iMessage Attacks
- Through the Blast Door
- Scanning Your iPhone for Pegasus
- iMessage’s BlastDoor Sandbox
