Pegasus spyware users exploited an unknown vulnerability in iMessage, the native iPhone messaging system. Apple fixed it after the discovery of Citizen lab, a leading research team on the subject.
Sign of the gravity of the situation, Apple has shown a rare responsiveness. On September 7, 2021, the company was contacted by the Citizen Lab, a reputable research laboratory at the University of Toronto: researchers had identified a critical vulnerability on iMessage.
5 days later, on September 13, the vulnerability is already fixed, as it has been the subject of an emergency patch. It must be said that the flaw, tracked under the identifier CVE-2021-30860, ticked all the dangerousness criteria:
- She was already actively exploited by customers of NSO Group at the time of discovery. In other words, it made it possible to deploy the Pegasus spyware, and thus reveal almost all of the content of the victim’s iPhone.
- Zero-day, it was unknown to the publisher, and therefore had no corrective action.
- Zero-click, it could be launched without the user interacting with the hacker, making it an almost unstoppable offensive tool.
- Invisible for the user, it could not be detected without entering the technical registers of the smartphone.
- She wore on iMessage, encrypted messaging is natively present on all Apple smartphones. Every iPhone owner was therefore vulnerable.
Citizen Lab named this flaw “Forcedentry” [entrée forcée, ndlr] for its ability to bypass Blastdoor, one of Apple’s latest features, dated earlier this year. This brand new program was supposed to protect iPhone users against this specific case of vulnerability. Mission failed.
This crisis situation arises the day before the Apple conference, during which the manufacturer should notably present the iPhone 13, a new edition of its iconic smartphone. It once again calls into question the security of iPhones, which were until recently considered to be a data vault.
Vulnerabilities that are increasingly difficult to discover
The Citizen Lab detected Forcedentry almost by chance. A Saudi activist contacted them in March 2021 as he suspected his iPhone was being monitored. Thanks to the analysis of the history of the crashes of the device, the research laboratory was able to discover the precise mode of operation of the vulnerability, of which it had found the first traces as early as this summer.
Concretely, criminals send a malicious PDF file to their victims, which does not even appear in its messages, and remains invisible to the naked eye. This file plays with several image-related features with the goal of crashing iMessage, allowing malware to enter the device. According to the researchers, it was an NSO client country that launched the attack on the Saudi, and the loophole has been exploited since at least February 2021.
Apple thanks the Citizen Lab
With its ability to bypass BlastDoor, Forcedentry would have simply replaced Kismet, researchers speculate. This previous critical iMessage flaw exploited by NSO Group was used to spy on dozens of journalists. Made public by Apple in December 2020, Kismet has been corrected, and would likely have been blocked by BlastDoor anyway.
The first to shine the spotlight on Pegasus in 2016, the Citizen Lab has since become the benchmark on the subject. This is why potential spyware victims turn to the lab, and regularly discover new tools from NSO. But this mode of fighting against Pegasus and his counterparts seems more and more unbalanced. Usually, spyware victims contacted the lab or NGOs with a sign of the attack. Here, it took a deep analysis to discover the problem, which would have remained invisible otherwise …
In its press release on the patch, Apple thanks the Citizen Lab and says it is aware of the suspicions about the exploitation of the flaw. But the company has not commented on NSO Group’s involvement. She does not appear to be close to joining Facebook, which is legally engaged against the Israeli company with support from Google and Microsoft, following the exploitation of critical vulnerabilities on WhatsApp.