Skip to content

Apple’s lockdown mode thwarts NSO’s latest iOS exploits

  • by
  • 3 min read

Shortly after its rival QuaDream allegedly shut shop, a report from Citizen Labs has revealed that the NSO group is back in business with at least three new iOS 15 and 16 zero-day exploits used against at least two Mexican human rights activists and other targets across the world in 2022. 

However, at least one of these exploits, dubbed PWNYOURHOME, was blocked by Lockdown Mode, according to the researchers. The feature was introduced in July 2022 as a means to reduce the attack surface of iOS devices. Roughly a year later, this is the first documented case of Lockdown Mode actually blocking a targeted attack. 

The two Mexican human rights activists were recent targets. | Source: Citizen Labs

In recent cases, the researchers point out that the targets’ iPhones helped block attacks while also notifying the users saying that an attacker was prevented from accessing the phone’s Home app. However, it’s also a possibility that at some point NSO’s exploit developers might have figured out a way to fix or work around the notification issue, including fingerprinting Lockdown Mode, something that’s quite easy to do. But that’s not to say that Lockdown Mode’s protection is meaningless. 

As for the newly discovered NSO exploits, the first exploit called LATENTIMAGE was deployed in January 2022 and exploited Apple’s Find My feature. The second exploit, dubbed FINDMYPWN appeared in June 2022 and targets Find My as well as iMessage. Finally, the third exploit appeared in October 2022 and exploited the HomeKit and iMessage features, it’s called PWNYOURHOME and was the one blocked by Apple’s Lockdown Mode. Additional forensic artefacts of the third exploit were also found in January 2023. 

The three new NSO zero-day exploits. | Source: Citizen Labs

All the vulnerabilities have been reported to Apple, with the HomeKit vulnerability fixed in February 2023 in iOS version 16.3.1. Citizen Labs says that the two human rights activists targeted in the attack investigate human rights violations allegedly carried out by the Mexican military. 

In the News: Netflix pulls the curtains on its DVD business; last one ships in September

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>