Citizen Lab has identified three new zero-day or yet-unpatched iOS exploits that were used by NSO Group Ltd.’s Pegasus spyware to infect iPhones.

Citizen Lab, a cybersecurity research center affiliated with the University of Toronto, published its findings today. Its researchers have determined that the three newly discovered iOS exploits were used to launch cyberattacks against members of Mexico’s civil society. Citizen Lab gained detailed technical information about the hacking campaign last October.

“We found matches with four Pegasus indicators that we had seen in previous infections between August and December 2021,” Citizen Lab detailed in a blog post. “Further analysis yielded additional indicators.”

Citizen Lab refers to the first of the three exploits it has discovered as Pwnyourhome. It’s designed to target iPhones running iOS 16, the latest version of Apple Inc.’s mobile operating system, as well as iOS 15. Citizen Lab has determined that the exploit was used to launch cyberattacks as early as last October.

Pwnyourhome exploits security flaws in two different iOS components. The first is iMessage while the other is HomeKit, a framework that allows users to configure smart home devices with their iPhones. The exploit leverages the two programs to launch what Citizen Lab describes as a two-step cyberattack. 

In the first phase of the attack, Pwnyourhome makes changes to the target device’s HomeKit settings. It then downloads PNG images via iMessage. The download causes crashes in a key component of BlastDoor, an iOS feature designed to block hackers from distributing malware through iMessage.

According to Citizen Lab, Pwnyourhome carries out cyberattacks using so-called pointers. Those are basic units of data that legitimate applications rely on to carry out processing.

Recent versions of iOS include a mechanism that can detect attempts to misuse pointers. According to Citizen Lab, NSO Group has found a way to circumvent the mechanism. To avoid detection, the Pwnyourhome exploit repurposes existing pointers already stored in an iPhone’s memory for malicious purposes. 

The second exploit is known as Findmypwn. Like Pwnyourhome, it launches two-step cyberattacks using iMessage. But whereas Pwnyourhome relies on HomeKit to power the first phase of cyberattacks, Findmypwn leverages a different iOS feature called Find My.

The Find My capability is designed to help users to locate lost Apple devices. Citizen Lab has determined that fmfd, a software module used to power the capability, closes and then relaunches in the first phase of Findmypwn cyberattacks. The lab also found that iMessage downloads data in the background. 

The third and final exploit called Latentimage. Similarly to Findmypwn, it makes use of the fmfd module that helps power the Find My capability in iOS. However, Citizen Lab determined that Latentimage loads NSO Group’s Pegasus spyware using a different method than Findmypwn.

Citizen Lab shared its findings with Apple last October and this past January. The iPhone maker subsequently updated its Lockdown Mode cybersecurity feature to detect the three exploits. 

“Targets we found in the 2022 target pool reported receiving notifications from Apple in November and December 2022, and March 2023,” Citizen Lab’s researchers detailed. “We highly encourage all at-risk users to enable Lockdown Mode on their Apple devices. While the feature comes with some usability cost, we believe that the cost may be outweighed by the increased cost incurred on attackers.”

Image: NSO Group