Pegasus Spyware Zero-Click Exploit Shows Why Messaging Apps Need To Be More Secure

Last week researchers at The Citizen Lab, an interdisciplinary laboratory at the University of Toronto, published details of a zero-day, zero-click exploit used to spy on Apple devices which they believe was created by NSO Group, the Israeli spyware business behind the Pegasus Project privacy scandal. They have given the exploit the name of ‘FORCEDENTRY’ and claimed it has been used since at least February 2021 to remotely install spyware on devices running Apple iOS, MacOS and WatchOS. Apple responded with a security patch on the same day as the exploit was published.

The Citizen Lab identified a number of suspicious files with a .gif extension in the backup of a phone which had been hacked with the NSO Group’s spyware. The files had been received by the phone immediately before it was hacked and were found in the folders used to store attachments to messages; a redacted listing of the files is pictured below.

Closer examination showed these files were not actually GIF images. The files used Adobe’s PDF file format to create an integer overflow in Apple’s image rendering library. The Citizen Lab attributed the exploit to NSO Group because of bugs and process names identical to those found in other spyware known to have been developed by NSO Group.

Apple likes to position itself as the most privacy-oriented of all the handset manufacturers, but until this exploit was identified it was possible for spies to remotely insert software on to an iPhone so they could: switch on and listen to the phone’s microphone; obtain access to any files stored on the handset; and read any messages the device sent or received. They could do this by simply sending a message to the phone, even if the user did not click on attached files.

All the fuss about implementing data protection laws like GDPR or fining businesses that share personal data too freely will be rendered irrelevant if the phone in your pocket can easily be turned into a surveillance device. The history of messaging reveals scant regard for securing this form of communication from eavesdropping, and the habitual under-engineering of messaging technology is the soft underbelly of communications privacy. Apple appears to be sincere about protecting the privacy of its customers, so the successful targeting of vulnerabilities unique to Apple products shows just how great is the gap between the expectations of those customers and the extent to which their privacy can be undermined. All vendors of messaging technology need to be conscious that they are on the front line of the war over network privacy.

You can read The Citizen Lab’s summary of their research into FORCEDENTRY by clicking here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.