HomeKit and Find My iPhone are two of the more useful features in Apple’s iOS, helping users control their smart home and locate their device, whether lost or stolen. But NSO Group, an Israeli surveillance dealer that has been slammed by the civil society and the U.S. government for selling to customers with weak human rights records, has found a way to exploit both to infect an iPhone, according to research published on Tuesday.
Apple’s Lockdown Mode was able to detect the HomeKit hack, however, and alert users who had it turned on. Lockdown Mode is an optional feature in iOS that limits the functionality of apps and websites to make an “attack surface” smaller and make spyware like NSO’s Pegasus less likely to work. iOS 15 and 16 updates have also patched the vulnerabilities exploited in both the PWNYOURHOME and FINDMYPWN attacks, Apple said.
Citizen Lab warned that it was possible NSO had managed to find a way around Lockdown Mode protections, though it hadn’t witnessed any such bypass.