Shortly after its rival QuaDream allegedly shut shop, a report from Citizen Labs has revealed that the NSO group is back in business with at least three new iOS 15 and 16 zero-day exploits used against at least two Mexican human rights activists and other targets across the world in 2022.
However, at least one of these exploits, dubbed PWNYOURHOME, was blocked by Lockdown Mode, according to the researchers. The feature was introduced in July 2022 as a means to reduce the attack surface of iOS devices. Roughly a year later, this is the first documented case of Lockdown Mode actually blocking a targeted attack.
In recent cases, the researchers point out that the targets’ iPhones helped block attacks while also notifying the users saying that an attacker was prevented from accessing the phone’s Home app. However, it’s also a possibility that at some point NSO’s exploit developers might have figured out a way to fix or work around the notification issue, including fingerprinting Lockdown Mode, something that’s quite easy to do. But that’s not to say that Lockdown Mode’s protection is meaningless.
As for the newly discovered NSO exploits, the first exploit called LATENTIMAGE was deployed in January 2022 and exploited Apple’s Find My feature. The second exploit, dubbed FINDMYPWN appeared in June 2022 and targets Find My as well as iMessage. Finally, the third exploit appeared in October 2022 and exploited the HomeKit and iMessage features, it’s called PWNYOURHOME and was the one blocked by Apple’s Lockdown Mode. Additional forensic artefacts of the third exploit were also found in January 2023.
All the vulnerabilities have been reported to Apple, with the HomeKit vulnerability fixed in February 2023 in iOS version 16.3.1. Citizen Labs says that the two human rights activists targeted in the attack investigate human rights violations allegedly carried out by the Mexican military.