Patch iPhones against Pegasus, CISA warns

Apple issues emergency updates after spyware attack observed using zero-day vulnerability

Patch iPhones against Pegasus, CISA warns

The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered US federal government agencies to upgrade iPhone and iPad operating systems to fix vulnerabilities that allow zero-click installation of Pegasus spyware.

Apple released updated versions of its OSs for some affected iPhone and iPad and iWatch models, on 7th September, with updates covering other models following on Monday.

In all, OS updates have been issued for:

The vulnerabilities, tracked as CVE-2023-41064 and CVE-2023-41061, were discovered by researchers at the University of Toronto's Citizen Lab while investigating a device used by an individual in Washington DC. They found the device had been infected with NSO Pegasus spyware via malicious images sent via iMessage, dubbing the exploit chain BLASTPASS."

"The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," the researchers wrote.

The researchers advise anyone who might be a target of the commercial spyware, which is has been used by nation state intelligence agencies, to enable Lockdown Mode on their device, which will precent the attack, according to Apple.

Developed by Israeli company NSO, Pegasus remote access spyware has been used to monitor activists, journalists and government officials. It allows an attacker to control many aspects of the infected device, including the phone, camera, messaging and microphone in order to monitor activity.

CISA says US federal agencies must secure all vulnerable iOS, iPadOS and macOS devices on their networks by 2nd October.