Discovery of ‘zero-click’ spyware allegedly from NSO Group, sees Apple issuing emergency update to iPhone, iPad and Mac users
Apple has rushed out an emergency software patch after the discovery of a critical vulnerability that is being linked to Israeli surveillance specialist NSO Group.
Researchers from the University of Toronto’s Citizen Lab warned Apple last week that it had discovered a zero-day zero-click (i.e. the user doesn’t even need to click on a poisoned link) exploit against iMessage.
Apple has responded very quickly and rushed out the update to plug the flaw in the iMessage software that allowed hackers to infiltrate a user’s iPhone or iPad without the user clicking on any links.
Zero-click iMessage vulnerability
Apple’s security update is for iPhone iOS and iPadOS, and it credits Citizen Lab for discovery of the flaw.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Ivan Krstić, head of Apple Security Engineering and Architecture, was quoted by CNN as saying in a statement.
Krstić said Apple rapidly addressed the issue with a software fix and that the vulnerability is “not a threat to the overwhelming majority of our users.”
Citizen Lab said that it had found the zero-day iMessage flaw whilst it was analysing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware.
“The exploit, which we call FORCEDENTRY, targets Apple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices,” said Citizen Lab.
“We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware,” the Canadian researchers said. “We believe that FORCEDENTRY has been in use since at least February 2021.”
Citizen Lab forwarded details of the exploit to Apple on Tuesday, 7 September. On Monday, 13 September, Apple confirmed that the files included a zero-day exploit against iOS and MacOS.
They designated the FORCEDENTRY exploit CVE-2021-30860, and describe it as “processing a maliciously crafted PDF may lead to arbitrary code execution.”
Citizen Lab said the exploit contained “multiple distinctive elements that allowed us to make a high-confidence attribution to NSO Group.”
“Despite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains the seeds of their ongoing unmasking,” said Citizen Lab.
“Selling technology to governments that will use the technology recklessly in violation of international human rights law ultimately facilitates discovery of the spyware by investigatory watchdog organisations, as we and others have shown on multiple prior occasions, and as was the case again here.”
“Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies,” said the Canadian researchers. “Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.”
“Our finding also highlights the paramount importance of securing popular messaging apps,” said Citizen Lab. “Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them.”
“As presently engineered, many chat apps have become an irresistible soft target,” it concluded. “Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited.”
NSO Group did not directly address the Citizen Lab allegation, but stressed it only provided its software to vetted governments and law enforcement.
“NSO Group will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime,” it responded.
The firm has always maintained that its software is only sold to vetted customers for counter-terrorism and law enforcement purposes.
Despite NSO’s protests that it only supplies to law enforcement and governments, privacy campaigners have previously said they have found multiple cases in which the spyware was deployed on dissidents or journalists.
NSO is currently engaged in a legal battle with WhatsApp, after Facebook sued NSO in October 2019 when it alleged NSO was behind the cyberattack in 2019 that infected WhatsApp users with advanced surveillance hacks in May 2019.
And in July this year officials from the Israeli defence ministry ‘visited’ the offices of NSO near Tel Aviv, after a number of damning allegations about NSO and its Pegasus spyware were made by the Pegasus Project.
The Project is a global media consortium of more than 80 journalists around the world, coordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International.
The consortium alleged that NSO’s Pegasus spyware had been used “to facilitate human rights violations around the world on a massive scale.”
It uncovered evidence that allegedly revealed that the phone numbers for 14 heads of state, including French President Emmanuel Macron, Pakistan’s Imran Khan and South Africa’s Cyril Ramaphosa, as well as 600 government officials and politicians from 34 countries, had been selected as people of interest by clients of NSO.
President Macron changed both his mobile phone and phone number in light of the Pegasus row.
President Macron also telephoned the Israeli prime minister, Naftali Bennett, to ensure that the Israeli government is “properly investigating” allegations that he could have been targeted with Israeli-made spyware by Morocco’s security services.