Apple continues to be haunted by spyware developed by an Israeli security firm that hostile governments used to hack into Apple devices to spy on journalists, activists and world leaders (see Apple Security Under Scrutiny Amid Fallout from NSO Spyware Scandal).
News of the nefarious uses of NSO Group’s Pegasus software first surfaced in July. Apple was notified earlier this month by researchers with Citizen Lab – an internet security watchdog group based at the University of Toronto – that a zero-day vulnerability in its iOS 14.8 and iPadOS 14.8 operating system was being exploited by the invasive Pegasus spyware. The exploit impacts every iPhone, iPad, Mac and Apple Watch.
Apple this week released security updates for its devices that will close the vulnerability that Pegasus exploited. In a security note, the company said that “processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”
The Pegasus spyware has been an ongoing source of controversy. Users of the spyware are able to extract data – including emails, messages and photos – from devices and also can record calls and activate microphones and cameras.
According to a report by Citizen Lab researchers, they were analyzing the phone of a Saudi activist that they soon determined had been infected with Pegasus. During the investigation, the researchers discovered a zero-day, zero-click exploit against iMessage, which they dubbed “ForcedEntry.” The exploit – labeled CVE-2021-30860 – targets an integer overflow vulnerability in Apple’s CoreGraphics image rendering library, they wrote.
The researchers suspect ForcedEntry has been in use since at least February. It doesn’t require users to click on fraudulent links or open malicious files to infect a device. The researchers urged users of the devices to download the fixes.
Fast Fixes by Apple
Citizen Lab contacted Apple about ForcedEntry Sept. 7, and less than a week later the vendor issued the fixes.
In a statement, Ivan Krstic, head of security engineering and architecture operations at Apple, thanked Citizen Lab for sending a sample of the exploit to the company, enabling it to issue a fix.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Krstic said. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
NSO Group, which was founded in 2010, over the years has pushed back at criticism of Pegasus and its other software products, arguing that the technology is a tool to enable governments to protect themselves and their citizens against terrorists and other criminals. In a brief statement this week, officials made the same argument, adding that the company will “continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime.”
NSO Group Faces Skeptics
However, cybersecurity professionals see the company’s arguments as ways to deflect criticism.
“NSO has maintained the stance that the spyware is only sold to a handful of intelligence communities within countries that have been thoroughly vetted for human rights violations,” Hank Schless, senior manager of security solutions for cybersecurity firm Lookout, told eSecurity Planet. “Their proactive statements about the Citizen Lab is just another attempt at maintaining this narrative in the media. The recent exposure of 50,000 phone numbers linked to targets of NSO Group customers was all people needed to see right through what NSO claims.”
In July, The Guardian reported a large data leak that unveiled a list of more than 50,000 iPhone numbers of people being watched by NSO customers dating back to 2016. More than 180 journalists worldwide were caught up in the leak and the report suggested that some Pegasus users like authoritarian regimes were using Pegasus to track people who weren’t criminals or terrorists.
Amnesty International and Forbidden Stories – a Paris-based nonprofit group that works with journalists – said Pegasus users were able to hack into iPhone 11 and iPhone 12 devices, as well as Android devices.
Kevin Dunne, president of access orchestration solutions company Pathlock, noted that enterprises also need to worry about the threat posed by spyware such as Pegasus, particularly given the highly distributed and mobile IT environment.
“Businesses often focus on their servers and workstations as the primary targets for hacking and espionage,” Dunne told eSecurity Planet. “However, mobile devices are now used broadly and contain sensitive information that needs to be protected. Spyware is primarily targeting these mobile devices and providing critical information to unauthorized parties.”
Citizen Lab researchers said ForcedEntry isn’t the first zero-click exploit linked to NSO. In 2019, WhatsApp was forced to fix a zero-click vulnerability in the WhatsApp calling feature that NSO clients used against more than 1,400 phones over a two-week period in which it was observed. Apple in iOS 14 introduced the BlastDoor mitigation, and the researchers suspect that NSO developed ForedEntry to circumvent BlastDoor.
“Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies,” they wrote. “Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.”
Messaging Apps a Growing Target
The researchers also cautioned organizations to understand the growing threats presented via chat and messaging apps.
“Our finding also highlights the paramount importance of securing popular messaging apps,” they wrote. “Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them. As presently engineered, many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited.”
The issues around the security update, Pegasus and NSO come just as Apple was preparing to roll out a spate of new products, including the latest iPhones, iPads and Apple Watches. Even the release of new products generated its own controversy, as protestors and privacy rights groups like the Electronic Frontier Foundation (EFF) gathered outside of Apple stores around the United States Aug. 13 to push back at Apple’s Child Sexual Abuse Material (CSAM) system that searches iCloud for such material. A plan to put it into iOS 15 has been delayed.
Further reading: Mobile Malware: Threats and Solutions