Early 2021; Citizen Lab researchers have again found an unprecedented flaw used by the Pegasus spyware to infect the victims of its clients.
This is the first mention of NSO Group since the “Project Pegasus” revelations. The Citizen Lab, a research laboratory at the University of Toronto, revealed a new operation carried out using spyware, between June 2020 and February 2021. At the helm of the cyberattacks is notably “Lulu”, a group affiliated with researchers at the government of Bahrain. He infected – or attempted to infect – the iPhones of no less than 4 activists in the country, known for their opposition to power. 5 others were also targeted by Pegasus.
Technically, this operation relied in turn on two vulnerabilities to penetrate the victims’ smartphones.
- The first goes by the name of Kismet, and was discovered by the Citizen Lab in December 2020. It has since been fixed, and would no longer work on iOS 14, the latest version of the iPhone operating system.
- The second had never been observed in such a level of detail: the researchers decided to name it “Forcedentry” (forced entry), for its ability to bypass Blast Door, one of the security features introduced in iOS14. Forcedentry was still running on version 14.6 of iOS, and could still be exploited.
The two flaws work very closely: they are “zero-click” vulnerabilities against iMessage, the encrypted messaging native to Apple devices. In other words, the simple sending of an infected message is enough to trigger the attack a chain of bugs on iMessage, without the victim having had any interaction with his device.
Zero-clicks are both very rare and highly sought after, since they exempt cybercriminals from having to create traps (such as phishings, for example) to make their victims download files. Each discovery of a new “zero-click” is therefore a small event. The ability of NSO Group to find them at regular intervals on different software reflects its disproportionate research resources. According to Le Monde, three quarters of the 700 employees are dedicated to discovering vulnerability. It also exposes the difficulty of software publishers like Apple to consider all the possible bugs of their programs.
There is always a way to crash software
The two flaws have similar effects: they trigger an iPhone “crash” linked to IMTranscoderAgent, a program responsible for previewing images in iMessages. Once the crash has occurred, the malware can activate a WebKit (another piece of program) to download the files needed by Pegasus from a server controlled by the perpetrators. All without the victim’s iPhone alerting the user.
Apple rolled out BlastDoor in late 2020 to make zero-click mining on iMessage more difficult. The company had thus indirectly blocked Kismet successfully. But in February, Forcedentry took over from Kismet with a similar operation, and this time the ability to bypass the detection tool.
NSO has therefore outsmarted the software publisher in a few months, and it seems to largely dominate the distance game it is waging against Apple. The task of the latter is not obvious: each iPhone includes many software, starting with iOS and all native programs (iMessage and Facetime in particular, which allow you to interact with other devices).
Only guaranteed protection: deactivate iMessage
All of these programs contain hundreds of thousands of lines of code, which allow them to work in a certain way. Opposite, the hackers will try to make its programs work in an unforeseen way by the developers in order to trigger harmful behavior (the famous bug), such as the application crash.
The confrontation is disproportionate: the developer must foresee all eventualities exhaustively, while hackers only have to find a single crack in which to rush to cause damage. For example, Forcedentry asks the IMTranscoderAgent program to issue improbable commands for the simple purpose of crashing it. These buggy commands were not intended by Apple, because they would not have been discovered by chance as it is obvious that they will not work. They were designed for the simple purpose of deliberately crashing iMessage. Of course, the logic that applies to iPhones also applies to Android smartphones, far from being spared by Pegasus.
To protect themselves from Forcedentry for sure, potential targets currently have no choice but to turn off iMessage and FaceTime. Problem: The traditional phone line is not encrypted, and NSO Group has proven in the past that it can attack other apps, like WhatsApp. In other words, potential targets are faced with a dilemma: exposing themselves to a risk of infection, or having a smartphone with limited functionality. It is up to them to find which means of communication escape Pegasus’ tools.