A new zero-day, zero-click exploit called ‘FORCEDENTRY’ has been discovered in Apple’s iMessage service, allegedly used by Israel’s NSO Group to install Pegasus spyware in devices including the iPhone, iPad, MacBook and Apple Watch. The exploit was discovered by researchers at Toronto-based Citizen Lab, who have been investigating the extent to which Pegasus is being used to spy on civilians, politicians, judges, activists, etc.
The Citizen Lab has advised everyone to update the operating systems on their Apple devices as the exploits can potentially affect their smartphones and laptops till the update rolled out by Apple on Monday is installed.
These are essentially hacks that occur without any intervention of the victim, using a loophole or a bug in a particular software, the existence of which its developer is unaware about.
The same kind of exploits were earlier used to install Pegasus in WhatsApp and iMessage.
Zero-day attacks were a quantum leap in the world of cyber warfare, prior to which spyware such as Pegasus was deployed using attack vectors such as malicious links in an e-mail or and SMS, that were smartly crafted to trick the recipient.
In a series of tweets, Citizen Lab researcher John Scott-Railton wrote: “Back in March my colleague Bill Marczak was examining the phone of a Saudi activist infected w/#Pegasus spyware. Bill did a backup at the time. A recent a re-analysis yielded something interesting: weird looking ‘.gif’ files.
“Thing is, the ‘.gif’ files… were actually Adobe PSD & PDF files… and exploited Apple’s image rendering library. Result? Silent exploit via iMessage. Victim sees *nothing,* meanwhile #Pegasus is silently installed & their device becomes a spy in their pocket,” he added.
Marczak also wrote: “We believe that the FORCEDENTRY exploit has been in use by NSO Group since at least February 2021. According to Apple’s analysis, the exploit works against all iOS, MacOS, and WatchOS versions prior to those released September 13, 2021 (today).”
4/ NSO Group says that their spyware is only for targeting criminals & terrorists.
But here we are… again: their exploits got discovered by us because they were used against an activist.
Thesis: discovery is inevitable byproduct of selling spyware to reckless despots. pic.twitter.com/fsnmSZF6ny
— John Scott-Railton (@jsrailton) September 13, 2021
Upon discovery of this exploit, Citizen Lab reached out to Apple last week regarding the loophole, following which the iPhone maker rolled out updates to its software to address the issue.
“Popular chat apps are the soft underbelly of device security. They are on every device, & some have a needlessly large attack surface. Their security needs to be a *top* priority,” Scott-Railton wrote.
Cyber-security experts recommend that users always keep their devices up to date with the OS and app updates rolled out by the developers. While in case of zero-day exploits, the cyber warfare industry may stay two steps ahead, installing such updates can protect from most other type of attacks.
In case of the latest exploit, all iPhones with iOS versions prior to 14.8, all Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2 are affected, and require users to update to the newest software rolled out by Apple.
Pegasus is a spyware developed by Israeli company NSO Group. The company claims it sells the software only to governments and government agencies, and is marketed as “a world-leading cyber intelligence solution that enables law enforcement and intelligence agencies to remotely and covertly extract” data “from virtually any mobile devices”.
Once infected, a phone becomes a digital spy under the attacker’s complete control, extracting data such as passwords, contact lists, calendar events, text messages, and live voice calls (even those via end-to-end-encrypted messaging apps). It also gives the attacker control to the phone’s camera and microphone, and enables the GPS function to track a target.
In July, Indian news portal The Wire reported that a leaked global database of 50,000 telephone numbers believed to have been listed by multiple government clients of NSO Group includes over 300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others.
Newsletter | Click to get the day’s best explainers in your inbox