FORCEDENTRY: iMessage Zero-Click Exploit in Check

ForcedEntry iMessage Zero-Click Exploit With Pegasus Spyware

The Pegasus surveillance software has once again come under fire. An analysis of a Saudi Arabian activist's smartphone revealed that NSO Group exploited a zero-click vulnerability in iMessage. This zero-click exploit, known as ForcedEntry, affects all Apple devices running iOS, macOS, and watchOS. Although Apple has since released updated versions of these operating systems, the iMessage app was previously susceptible to the zero-click exploit. The attack targets the built-in image rendering library and requires no action whatsoever from the user.

Apple and Android Users Are Affected -- Keep Endpoints Up to Date

The zero-click exploit by NSO Group, a mercenary spyware company, primarily targets the latest Apple devices but is also a significant concern for Android users. The surveillance software enables attackers to extract vast amounts of sensitive data and exploit it without authorization. Security researchers suspect that the ForcedEntry vulnerability has been used for the zero-click exploit since as early as February 2021. To minimize the risk and close the vulnerability, it is essential that you update your Apple devices if you have not already installed the latest update.

Do .psd Files Attack the IMTranscoderAgent?

Analysis of the activist's backup revealed several files with a .gif extension in the device's library, SMS messages, and attachments. These files were used directly for the zero-click exploit and remained available to the attackers until recently. However, they are not actually images but Adobe PSD files, specifically designed to crash the IMTranscoderAgent on the device. All of them shared a common trait: their filenames appeared to consist of ten random characters. Some also contained an encoded JBIG-2 stream and had exceptionally long filenames. If you discover such files on your smartphone, exercise caution.

Although researchers are not entirely certain yet, it is suspected that these files could trigger -- or contain -- a crash leading to a ForcedEntry exploit chain. On September 7, Apple was notified of the vulnerability. On September 13, Apple confirmed the suspicions of Citizen Lab researchers. Since then, significant effort has gone into resolving the ForcedEntry exploit, cataloged as CVE-2021-30860. In essence, it is a malicious PDF crafted in a way that allows it to execute arbitrary code. The exploit leverages an integer overflow vulnerability found in Apple's CoreGraphics image rendering library.

Apple Closes the Vulnerability

As an iPhone user, you were previously a potential target for the zero-click attack carried out through the Pegasus surveillance software. Apple has since patched the security flaw, ensuring it can no longer be exploited for a zero-click attack on the operating system. This means the software can no longer be used to compromise your device and exfiltrate your data without your knowledge.

The critical vulnerability was reported to Apple by researchers at the University of Toronto's Citizen Lab. Dubbed ForcedEntry, it had been exploited by the surveillance software since at least February 2021. It was first identified during the forensic analysis of a smartphone belonging to a Saudi Arabian activist.

Crafted PDF Files Triggered an Integer Overflow

The zero-click exploit apparently relied on specially crafted PDF files sent to the affected devices. These files carried a .gif extension despite being standard PDF files. Once iMessage received them, they were processed by CoreGraphics, Apple's image rendering library. The result was an integer overflow that enabled the execution of malicious code. This vulnerability, which went undetected during the API Pentest, allowed NSO to install the Pegasus software on the compromised devices, enabling extensive surveillance of the smartphone owners.

To eliminate this zero-click exploit, Apple closed the ForcedEntry vulnerability. Additionally, a flaw in the WebKit rendering engine that could also be exploited for malicious code injection was patched. Apple released the necessary software updates for all devices: iPhones (iOS 14.8), iPads (iPadOS 14.8), Macs (macOS Big Sur 11.6), and the Apple Watch (watchOS 7.6.2).

NSO Group Faces Criticism Over Pegasus

Since mid-July, criticism of NSO Group's spyware operations has intensified. These activities have been known for years, and both governmental and non-governmental organizations such as Amnesty International have sharply condemned the NSO Group. The group returned to the public spotlight after journalists, business executives, human rights activists, and their family members discovered the Pegasus spyware on numerous smartphones.

The surveillance software infiltrated the victims' devices via a zero-click exploit -- without any action on their part. The critical issue with this exploit was that it granted extensive access to stored data. More than 50,000 phone numbers fell into unauthorized hands through this method. Even the phone number of French President Emmanuel Macron is believed to have been obtained by cybercriminals in this manner.

How Cybercriminals Execute Zero-Click Attacks

The risk in cyberspace has long been pervasive -- and it continues to grow. This is not only because the sheer volume of cyberattacks is increasing but also because they are becoming increasingly sophisticated. As a user, you do not necessarily need to take any action or make a mistake to fall victim. A prime example is the Pegasus spyware, which was deployed on numerous iPhones without any user interaction. A zero-day vulnerability in the iMessage software served as the gateway for the cybercriminals.

In a zero-click exploit, attackers leverage vulnerabilities or security flaws discovered in the operating system or a mobile app. Of particular interest is the zero-day vulnerability -- a flaw that the manufacturer has not yet identified, for instance because no API pentest was conducted. Since the vulnerability remains unknown, the infrastructure cannot be hardened and no security patch can be issued.

Important: To minimize the risk of a zero-click exploit, you should always ensure that you install security updates and patches promptly. However, updates alone are not always sufficient to prevent a zero-click exploit entirely. Therefore, make it a practice to stay informed about known security issues.

A common technique associated with zero-click exploits is the jailbreak. This involves the unauthorized removal of usage restrictions on a device or mobile app, activating functions that the manufacturer had previously locked down. The result is that an unauthorized third party gains root access to the device through the zero-click exploit.