Red TeamingJan Kahmen8 min read

FORCEDENTRY: iMessage zero-click Exploit in Check

An analysis of a Saudi Arabian activist's smartphone revealed that NSO Group used a zero-click exploit against iMessage.

Table of content

Forced entry-imessage-zero-click-exploit with Pegasus Spyware

Pegasus surveillance software has once again come under fire. An analysis of a Saudi Arabian activist's smartphone revealed that NSO Group used a zero-click exploit against iMessage. This zero-click exploit is also known as ForcedEntry. Apple devices that use the iOS, macOS and watchOS operating systems are affected. Although a new version of the operating systems has been released in the meantime, the mobile app iMessage could previously be used for the zero-click exploit. The built-in image playback library is the target of this attack and comes without your active intervention.

Apple and Android users are Affected - Keep Endpoints up to Date

The zero-click exploit by NSO Group, a mercenary spyware company, primarily targets the latest Apple devices, but is also a cause for concern for Android users. The monitoring software can be used to read a lot of sensitive data and be used by unauthorized third parties. It is suspected that the ForcedEntry vulnerability has already been used for the zero-click exploit since February 2021. To minimize the dangers and close the vulnerability, it is important that you update your Apple devices if you have not already installed the update.

Attack .psd files IMTranscoderAgent?

Analysis of a back-up of the activist revealed that there were several files with a .gif extension in the library, SMS and attachments. These files were used directly for the zero-click exploit and were available to the hackers until recently. However, these files are not images, but Adobe PSD files. These are designed to cause the IMTranscoderAgent to crash on the device. What they all had in common was that the file name appeared to be composed of ten random characters. Some of these files also contained an encoded JBIG-2 stream and had very long file names. If you have discovered such files on your smartphone, caution is advised.
Although experts are not quite sure yet, it is suspected that these files could lead to, or contain, a crash and a so-called ForcedEntry exploit chain. On September 7, Apple was informed about the existing security vulnerability was Apple. On September 13, Apple confirmed what Citizen Lab staff had suspected by then. Since then, more work has been done to find a solution to the ForcedEntry exploit, listed as CVE-2021-30860. In general, it can be declared as a malicious PDF that is processed in such a way that it can execute arbitrary code. In doing so, the exploit makes use of an integer overflow vulnerability previously found in Apple's CoreGraphics image rendering library.

Apple Closes Vulnerability

With an iPhone, you were previously part of the target group for the zero-click attack by the Pegasus monitoring software. However, Apple has since closed the security hole so that it can no longer be used for the zero-click exploit on the operating system. This means that the software cannot be used to hack your device and steal your data without your intervention.
The critical infrastructure vulnerability was reported to Apple by researchers at the University of Toronto's Citizen Lab. This vulnerability was dubbed ForcedEntry and has been used by the monitoring software since at least February 2021. It was first noticed during the analysis of a smartphone belonging to a Saudi Arabian activist.

Prepared PDF files Triggered an Integer Overflow

Apparently, the zero-click exploit used crafted PDF files that were sent to the affected devices. These were sent with the .gif file extension, even though they were classic PDF files. Once these files were received by the iMessage, they were processed by CoreGraphics, Apple's image rendering library. The result was an integer overflow that allowed the malicious code to execute. This vulnerability, which was not detected by the API Pentest, allowed NSO to install the Pegasus software on the affected devices. Thus, they were able to monitor the smartphone owners extensively.API Pentest
To stop this zero-click exploit, Apple closed the ForcedEntry vulnerability. Additionally, the vulnerability in the Webkit rendering engine was fixed, which could also be exploited for malicious code. Apple released the necessary software updates for all devices: iPhones (iOS 14.8), iPads (iPadOS 14.8), Macs (MacOS Big Sur 11.6) and the Apple Watch (WatchOS 7.6.2).

NSO Group Receives Criticism for Pegasus

Since mid-July, criticism of NSO Group's spyware business has been on the rise. These activities have been known for years, and both governmental and non-governmental organizations such as Amnesty International have harshly criticized NSO Group. The fact that the group once again came into public focus was due to the fact that journalists, businessmen, human rights activists and their family members, among others, found the Pegasus spyware on numerous smartphones.
The surveillance software got onto the smartphones of those affected via a zero-click exploit - without their own intervention. The problem with this zero-click exploit was that it provided extensive access to stored data. More than 50,000 phone numbers fell into the hands of unauthorized people in this way. Even the phone number of President Emmanuel Macron is said to have been obtained by cybercriminals in this way.

This is how Cybercriminals Proceed in zero-click Attacks

Risk in cyberspace has long been ubiquitous and growing. That's not just because the sheer amount of cyberattacks is increasing - they're becoming more sophisticated. As a user, you don't necessarily have to take action yourself or make a mistake to succumb to it. A good example of this is the Pegasus spyware, which was planted on numerous iPhones without the user's intervention. A zero-day vulnerability in the iMessage software was the gateway for the cybercriminals.
In a zero-click exploit, the criminals take advantage of vulnerabilities or security holes they find in the operating system or a mobile app. Of particular interest for this zero-click exploit is the so-called zero-day vulnerability. Such a vulnerability has not been noticed by the manufacturer, for example because no API pentest has been performed. Since the vulnerability is not known, the infrastructure cannot be adapted or a security patch cannot be issued.
Important: To minimize the risk of a zero-click exploit, you should always make sure to install the provided security updates and patches. However, such an update is not always enough to completely prevent the zero-click exploit. Therefore, make sure to always stay informed about existing problem.
A common practice with the zero-click exploit is the so-called jailbreak. This involves unauthorized removal of the usage restrictions on the computer or those of the mobile app. Certain functions that the manufacturer had blocked until then are activated as a result. The result is that an unauthorized third party gains root access through the zero-click exploit, for example.


Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: