Apple Patched iMessage. But Can It Be Made Safer Overall?Citizen Lab Says iMessage Exploit Delivered NSO's Pegasus Spyware
Apple on Monday issued an emergency patch for a software vulnerability that researchers say was used to deliver spyware via iMessage to the mobile phones of activists.
See Also: Case Study: The Road to Zero Trust
It's an exploit-and-patch pattern that has repeated itself with vulnerable people often in the crosshairs. While software flaws can't be completely eliminated from iMessage and iOS, a few changes to iMessage could make it safer overall for high-risk individuals, according to Patrick Wardle, an Apple security expert.
The vulnerability, CVE-2021-30860, was used in an exploit that could infect devices with powerful spyware called Pegasus, made by the Israeli company NSO Group, according to researchers at The Citizen Lab, a group within the University of Toronto. The Citizen Lab reported the flaw to Apple less than a week ago and published its own findings on Monday.
UPDATE YOUR APPLE DEVICES NOW— John Scott-Railton (@jsrailton) September 13, 2021
We caught a zero-click, zero day iMessage exploit used by NSO Group's #Pegasus spyware.
Target? Saudi activist.
We reported the #FORCEDENTRY exploit to @Apple, which just pushed an emergency update.
THREAD 1/https://t.co/dVuC1r1yUs pic.twitter.com/KHwtsWRcpA
The flaw affects iOS before version 14.8, macOS versions before Big Sur 11.6 and Catalina before Security Update 2021-005 and watchOS before version 7.6.2. The patch fixes an integer overflow vulnerability in Apple's image rendering library, which is called CoreGraphics.
The exploit is particularly potent because it requires no interaction from a victim who is targeted. These are sometimes referred to as "zero-click" exploits and are among the most valuable and powerful ways to compromise a device.
The Citizen Lab dubbed the exploit Forcedentry. Forcedentry is believed to have been used since at least February to deliver Pegasus. The Citizen Lab says it found indications that Forcedentry had been used against a Saudi activist and activists in Bahrain after examining their devices. Forensic clues indicate that it was likely developed by the NSO Group.
Messaging applications such iMessage have large attack surfaces because the applications accommodate a huge range of file formats, which could result in buggy behaviors, says Wardle, who created the Objective-See suite of Mac security tools and formerly worked at the U.S. National Security Agency.
Using those vulnerabilities in iMessage to target people's devices is "kind of just like shooting fish in the barrel," Wardle says.
Free .GIFs? No Thanks
NSO Group has been repeatedly accused of selling its Pegasus spyware to governments that then turn it on vulnerable people.
Citizen Lab has documented that Pegasus has been used against activists, dissidents or even, as in Mexico, for targeting supporters of a tax on soda. Efforts to contact NSO Group were unsuccessful, but it has maintained that it vets the sale of the software and that abuse has been rare.
The clues that led to the latest vulnerability were files labeled as .GIFs, tweets John Scott-Railton, a senior researcher at The Citizen Lab. The files were intentionally mislabeled, however, and were actually Adobe PSD files, a format used with its Photoshop application, and PDF files. Sent via iMessage, those files in combination exploited the CoreGraphics library, which eventually resulted in the installation of Pegasus.
"[The victim's] device becomes a spy in their pocket," Scott-Railton tweets.
The Citizen Lab and other researchers have documented in the past how vulnerabilities in Apple's iMessage and other software has led to installation of NSO's spyware.
In December 2020, The Citizen Lab documented a zero-click vulnerability in iMessage called Kismet, which could hack Apple's latest iPhone 11 running iOS 13.5.1.
In July, Amnesty International and a Paris-based journalist collective called Forbidden Stories released a report covering their investigation into the targeting of activists and journalists with Pegasus. The organizations concluded that iMessage was likely vulnerable at that time to a zero-click exploit (see: Spyware Exposé Highlights Suspected Apple Zero-Day Flaws).
For vulnerable people, there's one option to nix exploits delivered through iMessage: Turn it off and deregister an iMessage account. But that's a terrible trade-off between usability and security since there's no usability.
Switching to another messaging platform doesn’t necessarily increase safety, either. In 2019, NSO Group's Pegasus spyware was forcibly installed on devices using CVE-2019-3568, a vulnerability in WhatsApp. And other messengers such as Signal share similar risks, as this remote code execution vulnerability in Signal's desktop version in 2018 shows.
Even if security research can't shake out all the vulnerabilities in iMessage or iOS, there are ways Apple could reduce the application's attack surface, Wardle says.
Anyone can send anyone else an iMessage. That means knowledge of the victim's phone number is enough to fire an exploit.
"[iMessage] is such a great distribution mechanism. [Apple] will route your exploit anywhere in the world to the target for you using end-to-end encryption. As an attacker, what more could you ask for?" Wardle says.
He says that's a much better scenario for an attacker than, say, email - in which a malicious message may be scanned by an ISP or security software. The end-to-end encryption in iMessage prevents visibility on malicious content. Often the only way to uncover exploits is by doing what The Citizen Lab has done - tediously following obscure forensic clues on victims' phones.
Apple does allow iMessage users to filter unsolicited iMessages from people not in someone's contacts. But it appears those messages still reach the device, and it's unclear if filtering those senders actually blocks attack code from executing. Turning that feature on, however, will put messages with potentially dangerous links in another bucket, perhaps making it less likely victims will click on a link.
"There are a lot of third-party plug-ins, plug-ins and extensions that really allow you to still use the browser, but really reduce the attack surface, which is great," Wardle says. "That makes some very large percentage of exploits just not even applicable anymore."
Messaging platforms are always adding new features to attract new users. But ironically, maybe adding the ability to shut off features would benefit users at high risk of surveillance the most.