NSO Group's Pegasus Spyware Returns

TLDR Version: NSO is still alive and kicking, the vulnerabilities have been patched, and Lockdown mode provided realtime warnings and appears successful in preventing infection.

Long version:

Citizen Lab has found three new zero-click variants of Pegasus targeting iOS. Two were targeting iOS 15 (which did not have Lockdown mode available yet) and one more recently targeting iOS 16. As Apple has made iOS more resistant to iMessage attacks, NSO has now added additional steps including the use of HomeKit as a ‘two-step zero-click’ exploit chain. Interestedly, a HomeKit home did not have to actually be set up by the user to be vulnerable as it used the ability to add other users to a HomeKit app account as the initial vector for attack before crashing iMessage BlastDoor function and then loading the rest of the spyware package via malicious message attachment.

I encourage anyone interested to read the full report available here: Citizen Lab

It is well written, brief, and does not require technical background to understand. Key technical details are being withheld by Citizen Lab as NSO used their previous reports to make Pegasus harder to analyze forensically.

Important key findings were that no phone were found infected past iOS 16.1 and the HomeKit specific vulnerability has been patched in 16.3.1. Additionally, Lockdown mode seems to have passed its first real world stress test, from Citizen Lab:

  • For a brief period, targets that had enabled iOS 16’s Lockdown Mode feature received real-time warnings when PWNYOURHOME exploitation was attempted against their devices. Although NSO Group may have later devised a workaround for this real-time warning, we have not seen PWNYOURHOME successfully used against any devices on which Lockdown Mode is enabled.

Citizen lab goes further to recommend Lockdown mode for any at risk users with the caveat to always be careful as no single security measure should be viewed as a silver bullet.

Additional important take aways here are that Apple is providing funding and working closely with Citizen Lab to gain up to date intelligence on spyware targeting their devices. They also seem to have found a way in near real time to notify targets as each of the individuals targeted in the fall 2022 attacks received official warnings from Apple about being targets of state sponsored attacks.

It would appear that Tim Cook was really pissed about NSO making a fool of Apple in 2021 when zero-click attacks first came to light and is using their considerable resources to actively fight back to include financial assistance/directly working with NGO’s helping journalists and activists targeted by NSO/similar groups. Say what you will about big corporations, but they do have resources to throw at malicious actors when provoked.

Lastly, what about Android? Previously Citizen Lab has mentioned that forensic analysis is much more difficult on Android as malware can more easily hide its tracks. On iOS the operating system it is much harder for malware to cover its tracks; thus most their info comes from iOS devices. So an updated Pixel might be as safe as an iPhone with Lockdown mode…or as vulnerable as one running iOS 15. We just do not have objective data. What we do know is that Lockdown mode saved the day this time for iPhone users who enabled it.


Lockdown mode FTW! Shameless plug, if you have any Apple devices (iOS/iPadOS/MacOS) and you’re curious how Lockdown mode impacts things, I covered the core impacts here.

For people already invested in privacy & security, I personally think it’s less extreme than people seem to think it is.

I didn’t know that this is something Apple does, but yes, if detected Apple will inform and assist you if you are unfortunate enough to be targeted by state-sponsored attacks.

Also, according to a video that appeared in my YouTube recommendations, it is from a group called Quadream, which was formed by a few NSO Group employees. According to them, they are shutting down because the “entire cyberattack industry it is in a crisis”.
Nevermind, this is for a different attack titled ENDOFDAYS

1 Like