Apple has released security updates for its devices after researchers identified a so-called “zero-click” exploit affecting its iMessage messaging service.
The previously-unidentified vulnerability affects all of Apple’s current devices, including iPhones, iPads, Apple Watches and Mac computers, the researchers said, adding that Apple users should “immediately” update their devices.
The exploit, named “FORCEDENTRY” by the University of Toronto Citizen Lab researchers, takes advantage of the way iMessage renders images to skirt the built-in security systems of Apple’s latest operating systems.
The security flaw was discovered by researchers analysing the phone of a Saudi activist who had been targeted by the Pegasus spyware sold to governments by Israeli defence firm NSO Group.
Apple’s iOS and iPadOS 14.8 updates, as well as a MacOS update released on Monday, patch the FORCEDENTRY flaw, which may have been in use since February, the researchers said.
In July, a leaked database revealed that NSO’s Pegasus spyware may have been used to spy on tens of thousands of journalists, activists and politicians, including French President Emmanuel Macron.
Once installed, Pegasus allows NSO’s clients to take control of a device, to activate the camera and the microphone, see geolocation data and read the content of messages.
On Monday, Apple said it released the security updates to solve an issue where a “maliciously crafted PDF” could lead a device to execute code without a user’s knowledge.
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” said Ivan Krstić, head of Apple Security Engineering and Architecture, in a statement. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals”.
“While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data,” he added.
Hallmarks of Pegasus spyware
Citizen Lab said the exploit had been used to secretly install Pegasus on the Saudi activist’s phone, adding that it had “high confidence” the attack had come from NSO Group.
Citizen Lab said multiple details in the malware installed via FORCEDENTRY overlapped with prior attacks by NSO, including some that were never publicly reported.
One process within the hack’s code was named “setframed,” the same name given in a 2020 Pegasus infection of a device used by a journalist at Al Jazeera, the researchers found.
“The security of devices is increasingly challenged by attackers,” said Citizen Lab researcher Bill Marczak.
An Apple spokesperson declined to comment to Reuters on whether the hacking technique came from NSO Group.
NSO did not confirm or deny that it was behind the technique, saying only that it would “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”
Citizen Lab said it found the malware on the phone of an unnamed Saudi activist and that the phone had been infected with spyware in February. It is unknown how many other users may have been infected.
The intended targets would not have to click on anything for the attack to work. Researchers said they did not believe there would be any visible indication that a hack had occurred.
The vulnerability lies in how iMessage automatically renders images. IMessage has been repeatedly targeted by NSO and other cyber arms dealers, prompting Apple to update its architecture. But that upgrade has not fully protected the system.
“Popular chat apps are at risk of becoming the soft underbelly of device security. Securing them should be top priority,” said Citizen Lab researcher John Scott-Railton.
The US government’s Cybersecurity and Infrastructure Security Agency on Monday released a security alert advising users to download Apple’s security updates.