Apple has released security updates to its devices after researchers discovered a so-called “zero-click” exploit affecting its iMessage messaging service.
The previously unknown vulnerability affects all current Apple devices, including iPhone, iPad, Apple Watch and Mac computers. the researchers saidadding that Apple users should update their devices “immediately”.
The exploit, dubbed “FORCEDENTRY” by University of Toronto Citizen Lab researchers, uses iMessage image rendering to bypass the built-in security systems of recent Apple operating systems.
The vulnerability was discovered by researchers who analyzed a Saudi activist’s phone that was targeted by Pegasus spyware sold to governments by Israeli defense firm NSO Group.
Apple iOS and iPadOS 14.8 updates and macOS update released on Mondayfix a FORCEDENTRY bug that may have been in use since February, the researchers say.
In July, a leaked database showed that Pegasus NSO spyware could be used to spy on tens of thousands of journalists, activists and politicians, including French President Emmanuel Macron.
Once installed, Pegasus allows NSO clients to control the device, activate the camera and microphone, view geolocation data, and read message content.
On Monday, Apple said it released security updates to address an issue where a “maliciously crafted PDF” could cause a device to execute code without the user’s knowledge.
“After identifying the vulnerability exploited by this iMessage exploit, Apple quickly developed and implemented a fix in iOS 14.8 to protect our users,” said Ivan Krstic, head of Apple Security Engineering and Architecture. “Attacks like these are very sophisticated, cost millions of dollars to develop, often have a short duration, and are used to attack specific people.”
“While this means that they do not pose a threat to the vast majority of our users, we continue to work tirelessly to protect all of our customers, and we are constantly adding new protections for their devices and data,” he added.
Distinctive features of Pegasus spyware
Citizen Lab said the exploit was used to surreptitiously install Pegasus on a Saudi activist’s phone, adding that there was “high confidence” that the attack came from the NSO Group.
Citizen Lab said many details of the malware installed using FORCEDENTRY echoed previous NSO attacks, including some that were never publicly reported.
The researchers found that one process in the hack code was named “setframed,” the same name given when Pegasus was infected in 2020 with a device used by an Al Jazeera journalist.
“Device security is increasingly being compromised by malicious actors,” said Citizen Lab researcher Bill Marchak.
An Apple spokesman declined to comment to Reuters on information that the hacker equipment belongs to the NSO Group.
The NSO has not confirmed or denied that it is behind the technology, saying only that it “will continue to provide intelligence and law enforcement agencies around the world with vital technology to fight terrorism and crime.”
“Soft lower abdomen”
Citizen Lab said it found malware on the phone of an unnamed Saudi Arabian activist and that the phone was infected with spyware in February. It is not known how many other users may have been infected.
The intended targets didn’t need to press anything for the attack to work. The researchers said they do not believe there will be any visible indication that a hack has occurred.
The vulnerability lies in how iMessage automatically displays images. iMessage has been repeatedly attacked by the NSO and other cyberweapons dealers, prompting Apple to update its architecture. But this update did not completely protect the system.
“Popular chat apps risk becoming a weak link in device security. Protecting them should be a top priority,” said Citizen Lab researcher John Scott-Railton.
US government Cybersecurity and Infrastructure Security Agency on Monday issued a security alert advising users to download Apple’s security updates.