NSO Group Exploits iOS 15 and iOS 16 with Zero-Click Attacks on Civil Society Targets
In 2022, the Citizen Lab discovered a series of zero-click exploit chains developed by the NSO Group, targeting iOS 15 and iOS 16 devices worldwide. The investigation began after detecting infections among members of Mexico’s civil society, including two human rights defenders from Centro PRODH. The findings revealed three distinct zero-click exploit chains: PWNYOURHOME, FINDMYPWN, and LATENTIMAGE.
PWNYOURHOME is a novel two-phase zero-click exploit chain for iOS 15 and iOS 16. The first phase targets HomeKit functionality and the second phase targets iMessage. This exploit succeeds even if the target has never configured a “Home” inside HomeKit. Upon discovering this exploit, forensic artifacts were shared with Apple, leading to security improvements in HomeKit for iOS 16.3.1. Interestingly, devices with iOS 16’s Lockdown Mode enabled received real-time warnings during PWNYOURHOME exploitation attempts, though NSO Group may have since devised a workaround.
FINDMYPWN is another zero-click exploit chain deployed against iOS 15. Like PWNYOURHOME, it appears to be a two-phase exploit, with the first phase targeting the iPhone’s Find My feature and the second phase targeting iMessage. The exploit launches the Pegasus spyware via the mediaserverd process.
LATENTIMAGE is a distinct iOS 15 zero-click exploit discovered in January 2022. This exploit may involve the iPhone’s Find My feature and launches the Pegasus spyware via the springboard process. The LATENTIMAGE exploit leaves minimal traces on the device, making it harder to detect.
Apple’s Lockdown Mode feature highlights attempted PWNYOURHOME attacks by displaying notifications to the user. However, there have been no recent notifications on Lockdown Mode, suggesting that NSO may have found a way to bypass this real-time warning. Furthermore, no exploitation cases have been observed for iOS versions 16.1 and later, indicating that PWNYOURHOME may have been fixed or mitigated.
These findings demonstrate the persistence and sophistication of the NSO Group’s attack capabilities, posing a significant threat to civil society targets globally.