On Wednesday, researchers at the Israeli MWR Labs announced a zero-click iOS exploit that gives attackers access to iMessage. The vulnerability is so severe and widespread that it can’t be fixed without shutting down the entire system for weeks. Fortunately, Apple has responded by releasing a patch in its latest update which could make this vulnerability less common.,
NSO Group was able to use the zero-click exploit on iMessage. The exploit involved using GIFs.
After Citizen Labs exposed the NSO group’s ForcedEntry hack for iMessage users, Google Project Zero’s Ian Beer and Samuel Groß published a thorough technical explanation of how the exploit works.
The researchers worked with Apple’s Security Engineering and Architecture (SEAR) team and Citizen Labs to get the ForcedEntry attack samples. They’ve described the hack as “one of the most technically complex exploits” they’ve ever encountered.
The attack is defined as a “zero-click” vulnerability, which means it does not need the user’s participation. In November, Apple increased its security by unveiling a new feature that alerts users if an attack is targeting them, as well as suing NSO and its parent firm OSY Technologies. In the same month, the United States put NSO on a trade blacklist.
In the news: Log4j turns out to be significantly more harmful than previously thought; CISA mandates a patch
The hack clearly demonstrates that NSO has capabilities that were previously assumed to be solely in the hands of a select nation-states. The Pegasus software developed by NSO has been accused of targeting human rights activists and journalists on a large scale.
While these vulnerabilities originally functioned on a one-tap basis, they’ve now changed to a zero-click basis, which means even the most tech-savvy targets aren’t aware they’re being targeted since the attack runs in the background.
There’s no way to avoid being exploited by such assaults than not using a digital device at all, according to the researchers, who add that “it’s a weapon against which there is no defense.”
iMessage is the point of entry. GIF pictures – brief, compressed animated graphics ubiquitous in meme culture — are supported natively in the app. However, the library that parses these pictures, ImageIO, is faulty, allowing NSO to disguise an attack as GIF images by guessing the right format of the source file and parsing it while disregarding the file extension.
GIFs in iMessage served as the entry point for the attack.
Pegasus operates by hiding a PDF containing the malicious attack code inside of these GIF files, which then exploits an integer overflow vulnerability in Apple’s image processing engine, CoreGraphics.
On September 13th, Apple released iOS 14.8 to address the issue, which has been assigned the CVE number CVE-2021-3086. Furthermore, the iPhone manufacturer told Project Zero researchers that beginning with iOS 14.8.1 on October 26, they limited the formats processed by ImageIO and altogether deleted the GIF code path, with decoding taking place in the BlastDoor sandbox starting with iOS 15.0 on September 20.
The researchers also noted that, although their vulnerability is limited to iMessage and hence Apple devices, they are aware of comparable Android flaws. They do not, however, have an existing sample.
In the News: Oppo’s foldable flagship, the Find N, is unveiled: price, specifications, and a release date
When he’s not writing/editing/shooting/hosting all things tech, he streams himself racing virtual vehicles. Yadullah may be reached at [email protected], or you can follow him on Instagram or Twitter.
Watch This Video-
The “zero-click exploit android” is a vulnerability in the NSO Group’s Pegasus iOS spyware that can be used to hack iMessage and other apps. The vulnerability was discovered by Citizen Lab, which published a report on it.
Related Tags
- what is zero-click exploit
- forced entry vulnerability for apple devices
- zero-click exploit github
- zero-click exploit apple
- zero-click vulnerability email