About

Zero-day spyware on Apple iOS causes ForcedEntry attacks

Apple devices have been exploited with a zero-day attack using spyware to target the iOS, MacOS, WatchOS devices. Nearly all the Apple devices, including the iPhones, iPads, Mac books and Apple watches are affected with this zero-day spyware vulnerability. The vulnerability was first detected by the Canadian security research firm, Citizen Labs, in the month of August 2021. It was reported to Apple on 7th September and Apple confirmed it back on 13th September. Apple has confirmed that the data shared by Citizen Labs did correspond to a zero-day exploit to target Apple devices.

What is the zero-day zero-click vulnerability on Apple devices?

This vulnerability is considered zero-day zero-click vulnerability because it is in midst of being actively exploited and efforts must be made to patch the vulnerability without any delays. The target Apple device gets compromised without any intervention from the user side. No clicks on any links or messages are required to target the device. The exploit makes use of the iMessage, the messaging app of Apple to reside on the device and cause an integer overflow to attack the device.

The vulnerability came to the fore when Citizen Labs detected the presence of Pegasus spyware on the iPhones of activists from Bahrain and Saudi Arabia. Pegasus spyware has been developed by NSO group. Pegasus can provide complete control of the target device to a 3rd party for surveillance or tracking purpose. Presence of Pegasus on the iPhones implied that the iOS was breached on these devices to install a 3rd party spyware file on the phone. This is also the reason that the spyware or zero-day exploit is called ForcedEntry exploit for Apple devices. The device owner or user is unaware that his device has been compromised by a malware file that can share all the personal details, including images and videos.

How does ForcedEntry or zero-click vulnerability work on Apple devices?

The zero-click exploit on Apple devices works in the following way:

  • iMessage app will be targeted and it will get a message that contains malicious payloads. Citizen labs was able to isolate 27 malicious files that would break the image rendering app on Apple devices. The IMTranscoderAgent will crash on the affected device. The exploit targets the image rendering security loophole to plant the malicious payloads on the target device.
  • The exploit also contained 4 gif files that contained JBIG2-encoded stream. This stream is responsible for carrying out the exploit on the target device.
  • Opening the PDF file would cause the exploit to run and cause the image rendering to crash on the affected device. The result would be a compromised device.

Apple has shared a brief description of the vulnerability as below –

Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An integer overflow was addressed with improved input validation.

from the Apple support website

No user click is needed for this zero-click exploit to target the vulnerable devices.

What Apple devices are affected with the zero-click vulnerability?

Unfortunately, this spyware or zero-click exploit affects all Apple devices. So, iPhones, Mac books, Apple watches and iPads are potential targets of the spyware or zero-day zero-click attack. All your personal data, including images and videos, is prone to be remotely accessible by an attacker.

Any Apple device that is on an iOS version older than 14.8 and iPadOS version older than 14.8 is prone to be exploited using the zero-click integer overflow vulnerability on the Apple device.

This vulnerability is being tracked under CVE-2021-30860. You will not get any details about the vulnerability, and it is likely that full details of the vulnerability will be available once the Apple devices have been patched against the vulnerability. On a similar note, the NIST website does not share any details of the vulnerability as of now. The details are likely to be shared at a later date.

What is the mitigation for the zero-click vulnerability on Apple devices?

Mitigation on iPhones and iPads

The vulnerability has been fixed in iOS 14.8 and iPadOS 14.8 for the iPhones and iPads. The upgraded version of the firmware will work for the following models of iPhones and iPads:

iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

  • All iPhones must upgrade to Apple’s iOS 14.8.
  • All iPads must upgrade to Apple iPadOS 14.8

Mitigation on MacBooks

If you have a MacBook, the zero-click vulnerability is resolved on the latest macOS update. Please upgrade the macOS to version 11.6. This would take care of the zero-click vulnerability.

Mitigation on Apple watches

To resolve or block the ForcedEntry or zero-click vulnerability on Apple watches, please upgrade the watchOS to version 7.6.2. The upgraded version of the watchOS should take care of the vulnerability.

Conclusion:

Apple devices are prone to be exploited with an integer overflow vulnerability to allow malicious files and code to be installed on the device. All user data is prone to be remotely accessible by an attacker. Apple has suggest immediate upgrade of the iOS, iPadOS, watchOS and macOS to protect against this vulnerability.