iOS Zero-Click Vulnerabilities exploited | Juice-jacking alert by the FBI
CyberInsights #90 - TheCitizenLab reveals the services used by Pegasus to exploit iOS devices with 'zero-click' | Juice Jacking was for general information - not a specific threat
This post is delayed by a day. It should have reached 24 hours earlier. Apologies for that! It’s just one of those days.
NSO group’s Pegasus exploits 3 zero-click exploit chains in 2022
‘Zero-Click’ is the security professionals Achilles’ heel. Here’s what you should read to find out more.
This article by The Citizen Lab reveals three new exploits purportedly used by the NSO group as a part of the Pegasus spyware showcases three new exploit chains:
LATENTIMAGE - using the FindMy feature
FINDMYPWN - using a chain of FindMy and Messages
PWNYOURHOME - using a chain of Home and Messages
The Citizen Lab does not get into the details of the evidence they found to show that the exploit existed, because, they say that the NSO group tries to cover up its tracks after such articles are published.
If you did not manage to go through the whole article, a point of note is that the ‘LockDown Mode’ of Apple, blocks the exploit.
Take Action:
Read this CyberInsights about the Apple Lockdown mode:
The lockdown mode is useful for high risk individuals.
Juice-jacking in the lime-light again
It’s not a very active or practical attack vector.
The FBI made a bold statement - public charges can put your data at risk.
https://twitter.com/FBIDenver/status/1643947117650538498?s=20
It sent everyone in a flurry. Was there a grave threat to the nation? Did the FBI know of some super-villain who has installed malicious chargers across the country?
Not really. It was just a routine message to educate everyone.
There is a risk of juice - jacking. However, there are no known public incidents of it being exploited. Snopes investigated this and found out that it’s not a big deal after all.
Take Action:
Nothing of note here. Maybe, include awareness about juice-jacking in your awareness mailers…