OSINT Alert: BlastPass Zero-Click Exploit Targeting Apple Devices

A zero-click, zero-day exploit chain dubbed “BLASTPASS” was detected in the wild in September 2023, targeting Apple devices. No user interaction required. No link to click. No attachment to open. Just a malicious iMessage — and the device is compromised.

This is the kind of threat that continuous cyber intelligence monitoring exists to catch early.

What Is BLASTPASS?

BLASTPASS is an exploit chain that uses malicious images embedded in PassKit attachments, delivered via iMessage. The attacker sends the payload to the victim’s Apple ID. The victim doesn’t need to open it, tap it, or even see it. The exploit executes automatically.

Two CVEs are associated with the chain: CVE-2023-41064 (a buffer overflow in ImageIO) and CVE-2023-41061 (a validation issue in Wallet). Together, they form a zero-click attack path capable of deploying NSO Group’s Pegasus spyware.

Affected Devices

The exploit impacts iPhone 8 and later, all iPad Pro models, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later — essentially any Apple device running iOS 16.6 or earlier.

Why This Matters Beyond the Patch

Apple released iOS 16.6.1 and iPadOS 16.6.1 to address these vulnerabilities. That’s the immediate fix. But the broader lesson is about detection speed.

BLASTPASS was discovered by Citizen Lab during an investigation into a device belonging to an individual employed by a Washington, DC-based civil society organization. The exploit had been active in the wild before the patch existed. That’s the definition of a zero-day — the vendor has zero days of advance notice.

For security teams responsible for executive protection, high-profile individuals, or sensitive government and corporate personnel, the window between exploit discovery and patch deployment is where damage happens.

The Pegasus Connection

NSO Group’s Pegasus spyware is the payload. Once installed, Pegasus can extract text messages, emails, and call records. It can capture live voice calls from encrypted messaging apps. It can silently activate cameras and microphones, turning the device into a real-time surveillance tool.

Pegasus has been documented on the devices of journalists, human rights activists, political dissidents, and business executives. It’s a mercenary tool — available to government clients willing to pay for it.

What Security Teams Should Do

Immediate action: Verify that all organizational devices are updated to iOS 16.6.1 or later. This isn’t optional. This isn’t “when convenient.” This is now.

For high-risk individuals: Enable Lockdown Mode on Apple devices. Lockdown Mode was specifically designed to counter sophisticated exploits like BLASTPASS. It restricts device functionality to reduce the attack surface — disabling certain message attachment types, link previews, and incoming service requests.

Ongoing: Implement continuous cyber threat intelligence monitoring to detect advisories like this within hours, not days. DigitalStakeout’s Exploited CVE Feed and cyber risk classification automatically surface critical vulnerability intelligence and active exploit reports as they emerge from OSINT sources — giving security teams the early warning they need to act before the patch cycle catches up.

The Bigger Picture

Zero-click exploits are not new. They’re not going away. And they disproportionately target exactly the people security teams are hired to protect — executives, public officials, journalists, and high-net-worth individuals.

The defense isn’t just patching. It’s speed of awareness. The teams that learn about BLASTPASS on day one have a fundamentally different risk posture than the teams that learn about it in next week’s vulnerability report.

---

DigitalStakeout monitors for active cyber exploits and zero-day intelligence. See the platform or get a demo.