New Zero-Click Exploits against iOS
Citizen Lab has identified three zero-click exploits against iOS 15 and 16. These were used by NSO Group’s Pegasus spyware in 2022, and deployed by Mexico against human rights defenders. These vulnerabilities have all been patched.
One interesting bit is that Apple’s Lockdown Mode (part of iOS 16) seems to have worked to prevent infection.
News article.
EDITED TO ADD (4/21): News article. Good Twitter thread.
TimH • April 20, 2023 9:56 AM
“The first step targets HomeKit, and the second step targets iMessage.”
“the first step targets the iPhone’s Find My feature, and the second step targets iMessage.”
Can Homekit be disabled?
If Find My is disabled, does it still work?
If JS is disabled for Safari (the only place), does it still work?