Apple Zero Click iMessage Exploit

By William Beard, Jr on September 17, 2021

(By: William Beard on September 17, 2021)

Executive Summary

Citizen Labs, a research group at the University of Toronto recently discovered a vulnerability in all of Apple’s operating systems for their devices. The vulnerability dubbed FORCEDENTRY by the research group was used to deploy the NSO Groups (named for its founders Niv, Shalev, and Omri) zero click Pegasus spyware on a Saudi activist’s iPhone. Citizen Labs has released their findings to Apple who has given FORCEDENTRY CVE-2021-30860. As of September 13^th, Apple has released updates for all Apple devices and has encouraged its users to update their devices immediately.

Background

NSO Group Technologies is an Israeli company well known for its Pegasus zero-click spyware used for surveillance of smartphones. Pegasus allows a threat actor to gain access to a user’s device via CVE-2021-30860 with no interaction from the user. Once a device is infected with Pegasus the threat actor can access that user’s messages, emails, photos, calls, microphone, camera and can even read content from encrypted apps such as Signal and WhatsApp. In the case of the Saudi activist’s phone that was infected with Pegasus, Citizen Labs believes it was exploited using Adobe PSD and PDF files found in the users Library/SMS/Attachments folder on the phone. Apple has since confirmed the zero-day exploit and describe it as “processing a maliciously crafted PDF may lead to arbitrary code execution” [1]. “The exploit works by exploiting an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics)” [1] according to Citizen Labs. The research group was able to attribute the attack to the NSO Group because of the incomplete way that Pegasus deletes the evidence from the phone’s DataUsage.sqlite file. NSO Group’s Pegasus is also known to have been used to hack an Al Jazeera journalist back in July 2020. It is believed that the vulnerability used in that attack was fixed by Apple using their Blastdoor mitigation in iOS14. Citizen Labs believes that FORCEDENTRY was developed to get around that fix.

Impact

Fortunately, these attacks are currently not widely used. Currently, they have only been targeted attacks against journalists and activists. Since the attacks have been targeted and not widespread the damage has been low; although, the attack itself can cause a user to lose control of their device and all information.

Mitigation

Apple has already released security updates for macOS Big Sur 11.6, macOS Catalina, watchOS 7.6.2, iOS 14.8 and iPadOS 14.8 and Safari 14.1.2. Users can also follow the instructions in the following link for updating each of their devices with the new security updates.

https://www.staradvertiser.com/2021/09/14/breaking-news/how-to-update-apple-devices-to-correct-security-flaw/

Relevance

With billions of Apple product users globally, including most government agencies and big businesses, the amount of information that threat actors could acquire is endless. Additionally, the attack requires zero interaction from the user to gain access to the system and can be done remotely. The NSO Group disputes theses allegations and states that “The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.” [7]. Unfortunately, some government and law enforcement agencies might not comply with NSO’s rules.

References

[1] https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30860

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30858

[4] https://us-cert.cisa.gov/ncas/current-activity/2021/09/13/apple-releases-security-updates-address-cve-2021-30858-and-cve

[5] https://docs.google.com/document/d/1eK-UrzBNHCaFiHuK6RjbeGDJOVTFy5pztmQ0d2bqT2Y/edit

[6] https://www.staradvertiser.com/2021/09/14/breaking-news/how-to-update-apple-devices-to-correct-security-flaw/

[7] https://www.theregister.com/2019/10/29/whatsapp_sue_nso_group/