BLASTPASS
[A] maliciously crafted image could lead to arbitrary code execution, allowing a hacker to gain access to the operating system with a simple picture.
[…]
As reported by Citizen Lab, the vulnerabilities are part of a “BLASTPASS” exploit chain that was observed having been used in the wild to deliver NSO Group’s Pegasus spyware. Pegasus is of critical concern to government officials, journalists, activists, and others with potentially sensitive information on their devices.
The zero-click vulnerability allowed attackers to send a maliciously crafted PassKit (Wallet) image to a target via iMessage, infecting their device “without any interaction from the victim.”
Lockdown Mode blocks this particular attack. It’s not really clear to me why these images can’t be safely processed behind the Blast Door. Is it because they’re related to other cross-cutting iOS services such as PassKit? That is, if iMessage were just a messaging service, it would be easier to make it secure. If Messages were restricted to doing what third-party apps can do, maybe these sorts of vulnerabilities would be impossible. But it’s also become the transport for various other iOS features and Apple services, so it’s necessarily hooked deeper into the system. If I lived in Europe, maybe I could just disable iMessage and use WhatsApp, which is arguably more reliable and secure.
Previously:
- macOS 13.5.2
- iOS 16.6.1 and iPadOS 16.6.1
- DMA Gatekeepers Designated
- Triangulation Exploit
- Zero-Click Exploits Against iOS 16
- WhatsApp More Private Than iMessage
- Time for Apple to Fix Texting
- Lockdown Mode
- Apple Sues NSO Group
- Zero-click iMessage Attacks
- Through the Blast Door
- iMessage’s BlastDoor Sandbox
3 Comments RSS · Twitter · Mastodon
@Peter Yes, that’s what I initially thought they were doing. But looking at the the diagram more closely, I guess it doesn’t (as of iOS 14) “diffuse” images, maybe for performance reasons?
remarkably little was said here (or in the source link) about how messed up it is that NSO is allowed to keep doing what it does. I don't wish to derail the conversation to politics, so that's all I'm going to say about the matter.
It's not clear to me why an incoming image can't by a very strongly restricted process, and then reeincoded in format with no security vulnerabilities (raw pixel data for example, or any format that can be proved secure (which is technically possible, provable software is possible in restricted domains)) and returned to Messages safely.