Special Report: Apple Issues Emergency Updates After Citizen Lab Discovers Zero-Day, Zero-Click Exploit Against iMessage

Citizen Lab researchers say that the exploit delivers Pegasus spyware from NSO, FORCEDENTRY exploit likely in use since March leaving Apple products vulnerable to surveillance by NSO customers

While examining the phone of a Saudi activist last March, security researchers at CitizenLab discovered a novel zero-day, zero-click exploit against iMessage they call FORCEDENTRY (CVE-2021-30860). The exploit targets Apple’s image rendering library and is effective against Apple iOS, MacOS, and WatchOS devices.

The researchers determined that notorious Israeli spyware company NSO used the exploit to implant its Pegasus surveillance software into Apple devices. Using the zero-click method, Pegasus can control the user’s camera and microphone and can access content on devices, including recorded messages, texts, emails, and calls, even content that was sent and received over encrypted connections.

CitzenLab believes the zero-day exploit, which is invisible to users by requiring no action on their part, was in use since at least March of this year, leaving billions of Apple products vulnerable to surveillance by NSO’s customers, many of which are despotic governments.

However, Ivan Krstić, head of Apple Security Engineering and Architecture, said in a statement that the overwhelming majority of users were unlikely to be targeted in any FORCEDENTRY attacks. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Krstić said in a statement.

Apple issued emergency software updates that patch FORCEDENTRY and urged users of all Apple devices to implement the updates immediately. Apple further said it would introduce new security defenses for iMessage in its next iOS 15 software update later this year.

NSO Group issued only a lukewarm, almost irrelevant response to the discovery of the zero day and Apple’s update. The company said, “NSO Group will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”

Related: The Age, The Guardian, CBC, WGRZ - News, CNN.com, Reuters, The Citizen Lab, MacRumors, The Mac Observer, The Hill: Cybersecurity, New York Times, VICE News, Mercury News, Cyberscoop. ExtremeTech, AppleInsider, Gizmodo, iMore, Lifehacker, SlashGear » security, AskWoody, 9to6Mac, iMore, Macworld, Engadget, Security Affairs, TechCrunch, Vox, US-CERT Current Activity, CTVNews.ca, Devdiscourse News Desk, Associated Press Technology, The Huffington Post, Slashdot, Recorded Future, Apple, Security Week, The Guardian, CNN

Photo by Alexander Shatov on Unsplash