Cyber security researchers have uncovered a new vulnerability on Apple devices, allowing hackers to deploy Israeli company NSO Group’s spyware tool through iMessage.
According to Citizen Lab, the vulnerability allowed hackers to access a target’s iPhone, Mac computer or Apple Watch via iMessage, without the user needing to click on a malicious link. The exploit, dubbed “FORCEDENTRY” by the researchers, is known as a “zero-click” attack.
The report added that military spyware manufacturer NSO had “used the vulnerability to remotely exploit and infect the latest Apple devices” with its spyware, known as Pegasus, “since at least February 2021”.
The iPhone maker issued a patch yesterday to fix the flaw, which was discovered by researchers at the University of Toronto’s Citizen Lab after they analysed the iPhone of a Saudi activist that had been infected with spyware developed by NSO.
Founded in 2010, NSO develops and sells its exploits to government agencies as off the shelf software, rising to prominence in 2019 when it was reported that the group could “drop its payload” of malware on to unsuspecting iPhones and Android phones by ringing a user over WhatsApp.
NSO’s Pegasus was in July linked to phones belonging to dozens of journalists, human rights activists and politicians, according to an investigation by a consortium of newspapers. Civil rights activists say the software — which requires an Israeli government licence for export because it is viewed as a weapon — can be used for unlawful surveillance, not just by certain governments to target terrorists and criminals.
The company stated yesterday: “NSO Group will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”
Citizen Lab said its discovery of another previously unknown vulnerability on Apple hardware “illustrates that companies are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.”
Apple said it was issuing the patch because “processing a maliciously crafted PDF may lead to arbitrary code execution”. It said it was “aware of a report that this issue may have been actively exploited”.
Head of Security Engineering and Architecture at Apple, Ivan Krstić said, “attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” adding that they were “not a threat to the overwhelming majority of our users”.
Nevertheless, the revelation could further dent the image of iOS as a more secure operating system than Android. Apple has long emphasised that no system can be 100% secure from hackers.
Citizen Lab said chat apps in particular had become “a major target for the most sophisticated threat actors, including nation-state espionage operations and the mercenary spyware companies that service them”.