{"id":19250,"date":"2021-09-15T00:18:45","date_gmt":"2021-09-15T00:18:45","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=19250"},"modified":"2021-09-15T00:18:45","modified_gmt":"2021-09-15T00:18:45","slug":"apple-patches-ios-spyware-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/apple-patches-ios-spyware-vulnerabilities\/","title":{"rendered":"Apple Patches Vulnerabilities in iOS Exploited by Spyware"},"content":{"rendered":"

Apple continues to be haunted by spyware developed by an Israeli security firm that hostile governments used to hack into Apple devices to spy on journalists, activists and world leaders (see Apple Security Under Scrutiny Amid Fallout from NSO Spyware Scandal<\/a>).<\/p>\n

News of the nefarious uses of NSO Group’s Pegasus software first surfaced in July. Apple was notified earlier this month by researchers with Citizen Lab \u2013 an internet security watchdog group based at the University of Toronto \u2013 that a zero-day vulnerability<\/a> in its iOS 14.8 and iPadOS 14.8 operating system was being exploited by the invasive Pegasus spyware. The exploit impacts every iPhone, iPad, Mac and Apple Watch.<\/p>\n

Apple this week released security updates<\/a> for its devices that will close the vulnerability that Pegasus exploited. In a security note<\/a>, the company said that \u201cprocessing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\u201d<\/p>\n

Spyware Vulnerability<\/h2>\n

The Pegasus spyware has been an ongoing source of controversy. Users of the spyware are able to extract data \u2013 including emails, messages and photos \u2013 from devices and also can record calls and activate microphones and cameras.<\/p>\n

According to a report<\/a> by Citizen Lab researchers, they were analyzing the phone of a Saudi activist that they soon determined had been infected with Pegasus. During the investigation, the researchers discovered a zero-day, zero-click exploit against iMessage, which they dubbed \u201cForcedEntry.\u201d The exploit \u2013 labeled CVE-2021-30860 \u2013 targets an integer overflow vulnerability in Apple\u2019s CoreGraphics image rendering library, they wrote.<\/p>\n

The researchers suspect ForcedEntry has been in use since at least February. It doesn\u2019t require users to click on fraudulent links or open malicious files to infect a device. The researchers urged users of the devices to download the fixes.<\/p>\n

Fast Fixes by Apple<\/h2>\n

Citizen Lab contacted Apple about ForcedEntry Sept. 7, and less than a week later the vendor issued the fixes.<\/p>\n

In a statement, Ivan Krstic, head of security engineering and architecture operations at Apple, thanked Citizen Lab for sending a sample of the exploit to the company, enabling it to issue a fix.<\/p>\n

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Krstic said. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”<\/p>\n

NSO Group, which was founded in 2010, over the years has pushed back at criticism of Pegasus and its other software products, arguing that the technology is a tool to enable governments to protect themselves and their citizens against terrorists and other criminals. In a brief statement this week, officials made the same argument, adding that the company will \u201ccontinue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime.”<\/p>\n

NSO Group Faces Skeptics<\/h2>\n

However, cybersecurity professionals see the company\u2019s arguments as ways to deflect criticism.<\/p>\n

\u201cNSO has maintained the stance that the spyware is only sold to a handful of intelligence communities within countries that have been thoroughly vetted for human rights violations,\u201d Hank Schless, senior manager of security solutions for cybersecurity firm Lookout, told eSecurity Planet<\/em>. \u201cTheir proactive statements about the Citizen Lab is just another attempt at maintaining this narrative in the media.\u00a0The recent exposure of 50,000 phone numbers linked to targets of NSO Group customers was all people needed to see right through what NSO claims.\u201d<\/p>\n

In July, The Guardian<\/em> reported<\/a> a large data leak that unveiled a list of more than 50,000 iPhone numbers of people being watched by NSO customers dating back to 2016. More than 180 journalists worldwide were caught up in the leak and the report suggested that some Pegasus users like authoritarian regimes were using Pegasus to track people who weren\u2019t criminals or terrorists.<\/p>\n

Amnesty International and Forbidden Stories\u00a0\u2013 a Paris-based nonprofit group that works with journalists \u2013\u00a0said<\/a> Pegasus users were able to hack into iPhone 11 and iPhone 12 devices,\u00a0as well as Android devices.<\/p>\n

‘Despotism-as-a-service’<\/h2>\n

Kevin Dunne, president of access orchestration solutions company Pathlock, noted that enterprises also need to worry about the threat posed by spyware such as Pegasus, particularly given the highly distributed and mobile IT environment.<\/p>\n

\u201cBusinesses often focus on their servers and workstations as the primary targets for hacking and espionage,\u201d Dunne told eSecurity Planet<\/em>. \u201cHowever, mobile devices are now used broadly and contain sensitive information that needs to be protected.\u00a0Spyware is primarily targeting these mobile devices and providing critical information to unauthorized parties.\u201d<\/p>\n

Citizen Lab researchers said ForcedEntry isn\u2019t the first zero-click exploit linked to NSO. In 2019, WhatsApp was forced to fix a zero-click vulnerability in the WhatsApp calling feature that NSO clients used against more than 1,400 phones over a two-week period in which it was observed. Apple in iOS 14 introduced the BlastDoor mitigation, and the researchers suspect that NSO developed ForedEntry to circumvent BlastDoor.<\/p>\n

\u201cOur latest discovery of yet another Apple zero day employed as part of NSO Group\u2019s arsenal further illustrates that companies like NSO Group are facilitating \u2018despotism-as-a-service\u2019 for unaccountable government security agencies,\u201d they wrote. \u201cRegulation of this growing, highly profitable, and harmful marketplace is desperately needed.\u201d<\/p>\n

Messaging Apps a Growing Target<\/h2>\n

The researchers also cautioned organizations to understand the growing threats presented via chat and messaging apps.<\/p>\n

\u201cOur finding also highlights the paramount importance of securing popular messaging apps,\u201d they wrote. \u201cUbiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them. As presently engineered, many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited.\u201d<\/p>\n

The issues around the security update, Pegasus and NSO come just as Apple was preparing to roll out a spate of new products, including the latest iPhones, iPads and Apple Watches. Even the release of new products generated its own controversy, as protestors and privacy rights groups like the Electronic Frontier Foundation (EFF) gathered outside of Apple stores around the United States Aug. 13 to push back at Apple\u2019s Child Sexual Abuse Material (CSAM) system that searches iCloud for such material. A plan to put it into iOS 15 has been delayed.<\/p>\n

Further reading: Mobile Malware: Threats and Solutions<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n