Tuesday, Feb 07, 2023

Explained: What is the Pegasus exploit targetting Apple devices?

A new exploit called 'FORCEDENTRY' has been discovered in Apple's iMessage service. How does it infect devices, and what should you do to protect yours?

Apple spyware, Apple update, Apple Pegasus attack, Apple devices update, Pegasus zero click attack explained, Forced Entry spyware, Indian ExpressA 3D printed Apple logo is seen in front of a displayed cyber code in this illustration. (Reuters: Dado Ruvic)

A new zero-day, zero-click exploit called ‘FORCEDENTRY’ has been discovered in Apple’s iMessage service, allegedly used by Israel’s NSO Group to install Pegasus spyware in devices including the iPhone, iPad, MacBook and Apple Watch. The exploit was discovered by researchers at Toronto-based Citizen Lab, who have been investigating the extent to which Pegasus is being used to spy on civilians, politicians, judges, activists, etc.

The Citizen Lab has advised everyone to update the operating systems on their Apple devices as the exploits can potentially affect their smartphones and laptops till the update rolled out by Apple on Monday is installed.

What are zero-day, zero-click hacks?

These are essentially hacks that occur without any intervention of the victim, using a loophole or a bug in a particular software, the existence of which its developer is unaware about.

The same kind of exploits were earlier used to install Pegasus in WhatsApp and iMessage.

Zero-day attacks were a quantum leap in the world of cyber warfare, prior to which spyware such as Pegasus was deployed using attack vectors such as malicious links in an e-mail or and SMS, that were smartly crafted to trick the recipient.

How did Citizen Lab discover the exploit?

In a series of tweets, Citizen Lab researcher John Scott-Railton wrote: “Back in March my colleague Bill Marczak was examining the phone of a Saudi activist infected w/#Pegasus spyware. Bill did a backup at the time. A recent a re-analysis yielded something interesting: weird looking ‘.gif’ files.

“Thing is, the ‘.gif’ files… were actually Adobe PSD & PDF files… and exploited Apple’s image rendering library. Result? Silent exploit via iMessage. Victim sees *nothing,* meanwhile #Pegasus is silently installed & their device becomes a spy in their pocket,” he added.


Marczak also wrote: “We believe that the FORCEDENTRY exploit has been in use by NSO Group since at least February 2021. According to Apple’s analysis, the exploit works against all iOS, MacOS, and WatchOS versions prior to those released September 13, 2021 (today).”

How to protect your devices against Pegasus spyware

Upon discovery of this exploit, Citizen Lab reached out to Apple last week regarding the loophole, following which the iPhone maker rolled out updates to its software to address the issue.

“Popular chat apps are the soft underbelly of device security. They are on every device, & some have a needlessly large attack surface. Their security needs to be a *top* priority,” Scott-Railton wrote.

Cyber-security experts recommend that users always keep their devices up to date with the OS and app updates rolled out by the developers. While in case of zero-day exploits, the cyber warfare industry may stay two steps ahead, installing such updates can protect from most other type of attacks.


In case of the latest exploit, all iPhones with iOS versions prior to 14.8, all Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2 are affected, and require users to update to the newest software rolled out by Apple.

Apple spyware, Apple update, Apple Pegasus attack, Apple devices update, Pegasus zero click attack explained, Forced Entry spyware, Indian Express Apple issues emergency security update to check Pegasus spyware ‘zero-click flaw’

What is Pegasus, and why is it crucial?

Pegasus is a spyware developed by Israeli company NSO Group. The company claims it sells the software only to governments and government agencies, and is marketed as “a world-leading cyber intelligence solution that enables law enforcement and intelligence agencies to remotely and covertly extract” data “from virtually any mobile devices”.

Once infected, a phone becomes a digital spy under the attacker’s complete control, extracting data such as passwords, contact lists, calendar events, text messages, and live voice calls (even those via end-to-end-encrypted messaging apps). It also gives the attacker control to the phone’s camera and microphone, and enables the GPS function to track a target.

In July, Indian news portal The Wire reported that a leaked global database of 50,000 telephone numbers believed to have been listed by multiple government clients of NSO Group includes over 300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others.

Subscriber Only Stories
In this Bengal district, solid, plastic waste management now a people’s m...
Delhi Confidential | GOAT & the gift: PM Narendra Modi gets a Lionel ...
India looks at options to pay defence dues to Russia: stake sale, bonds, ...
Interview with Revenue Secretary | ‘Measures for widening tax base ...

Newsletter | Click to get the day’s best explainers in your inbox

First published on: 14-09-2021 at 11:21 IST
Next Story

Vaccination camps set up in market areas as Gurgaon administration kicks off mega vaccination drive

Latest Comment
Post Comment
Read Comments