iPhone Security In The Face Of Zero-Click Exploits

/in


Apu Pavithran is the founder and CEO of Hexnode, an award-winning unified endpoint management platform.

For Apple enthusiasts and business owners alike, the iPhone has been more than a device—it’s a symbol of security and reliability. That doesn’t imply, however, that the iPhone is a veritable Fort Knox. Vulnerabilities popping up occasionally are nothing new. However, a recent pair of zero-day vulnerabilities raise considerable concern. In early September 2023, CitizenLab, a vigilant internet watchdog group, unearthed a zero-click iOS vulnerability that enabled the notorious Pegasus spyware to infiltrate iPhones. This revelation serves as a wake-up call, reminding us that even the seemingly impenetrable can be compromised.

Unraveling The Vulnerability

What’s truly unsettling is that even the most up-to-date iPhone with the latest iOS can fall victim to this attack without any user interaction. Unlike traditional attacks that require some form of user interaction, this exploit can compromise an iPhone without any action from the victim.

The first exploit, CVE-2023-41064, affects Image I/O, a foundation for programs that enable them to read and write different image formats. A buffer overflow issue in Image I/O may be used to build a maliciously created image that causes iOS to execute malicious software. For those unfamiliar, a buffer overflow takes place when a program tries to input more information into a buffer than it can accommodate. This can lead to various issues such as data distortion, program malfunctions or even the activation of harmful code. The second vulnerability, CVE-2023-41061, affects Apple Wallet and can be exploited to trick it into executing malicious code.

At the end of both vulnerabilities lies Pegasus, a potent and sophisticated spyware developed by Israel’s NSO group. Pegasus utilizes the zero-click zero-day vulnerability to inject itself onto iPhones and iPads. Once infiltrated, its capabilities are staggering: It can siphon off texts, emails, media files, contacts and GPS coordinates. Additionally, it can eavesdrop on calls and surreptitiously activate both the microphone and camera.

Marketed under the guise of crime and terrorism…

Source…