Galina Timchenko, an award-winning Russian investigative journalist and co-founder of the independent news outlet Medusa, was infected with Pegasus spyware via a zero-click exploit called “Pwn Your Home” — requiring no action whatsoever from the target — giving the attacker complete access to her device including corporate passwords, staff identities, and the names of sources living inside Russia.
Stories Covered
Pegasus Zero-Click Exploit Targets Exiled Russian Journalist: How Pwn Your Home Works
Galina Timchenko, co-founder and chief executive of Medusa — a Russian-language investigative journalism outlet operating in exile from Riga, Latvia — received an Apple threat notification on June 22nd alerting her that her iPhone was likely targeted by a state-sponsored attack. Apple introduced these threat notifications specifically to warn high-risk individuals — journalists, dissidents, human rights workers — that their devices may be individually targeted. Timchenko reached out to Citizen Lab at the University of Toronto and Access Now, a human rights nonprofit with digital security expertise. Their forensic investigation confirmed that her device had been compromised using Pegasus spyware, delivered via a zero-click exploit named Pwn Your Home. The exploit chains together vulnerabilities in two iOS components: Apple’s HomeKit smart home functionality and the iMessage messaging process. The attack requires no interaction from the victim — no link to click, no file to open, nothing to trigger. A specially crafted payload delivered over iMessage breaches the device sandbox and installs Pegasus without the target ever knowing the attack occurred. Citizen Lab had previously attributed Pwn Your Home, along with two related zero-click exploit chains (Find My Pwn and Latent Image), to NSO Group clients who used them against target iPhones in 2022.
Once installed, Pegasus functions as a comprehensive remote access tool: it can access everything on the device that its operator wants. Medusa reported that the compromise on Timchenko’s phone likely exposed corporate passwords, internal correspondence, names of Medusa staff, bank account details, and — most critically — the identities of sources and collaborators living inside Russia. For a news organization with sources in an authoritarian country, that last category represents a potential physical threat to the people involved. Zero-click exploits in this category are not cheap or accessible: effective, unpatched zero-click vulnerabilities for iOS trade for millions of dollars on private markets. The NSO Group sells Pegasus to government agencies under contracts that restrict its use to law enforcement purposes, but a 2021 leak of an NSO client target database containing more than 50,000 phone numbers included 180 journalists across countries including India, Hungary, and Mexico, as well as human rights activists, lawyers, union leaders, and politicians. The tool designed for catching criminals has a documented pattern of being used against people exercising speech and press freedoms.
In the same reporting period, Citizen Lab also disclosed BlastPass — a separate chain of two iOS 16.6 zero-click vulnerabilities that were being actively exploited to deliver Pegasus without any user interaction. Apple patched BlastPass and urged immediate device updates. The consistent message from every Pegasus disclosure is the same: the most effective mitigation is keeping iOS fully updated, because zero-click exploits by definition require an unpatched vulnerability to function. Once patched, the specific exploit chain is closed — attackers must find or purchase a new one. The Lockdown Mode feature Apple introduced in iOS 16 provides additional hardening specifically designed for high-risk individuals; Citizen Lab has found it effective at blocking known Pegasus delivery chains. For journalists, activists, and others in professions that attract state-sponsored surveillance interest, Lockdown Mode combined with current iOS updates represents the most accessible defense against this category of attack.
Leave a Reply