Apple has issued an emergency update for iOS after security researchers uncovered a zero-day spyware exploit in iMessage that gives an attacker access to iPhones and iPads – without the user clicking on a link or file.
The Cupertino-headquartered company said on Monday it was aware of a report that the iOS vulnerability “may have been actively exploited”.
The attack involves a “maliciously crafted PDF” that breaches the target’s Apple device, allowing the attacker to run any command without notifying the user.
The Apple vulnerability affects all the tech giant’s iOS devices, including iPhones, Macs and Apple Watches.
The University of Toronto’s Citizen Lab discovered the iPhone security breach and said it has “high confidence” that Israeli spyware company NSO Group developed it.
The watchdog group dubbed the Apple zero-day “FORCEDENTRY” and said it has been in use since at least February 2021. Its designated vulnerability name is CVE-2021-30860.
The company has always insisted it only sells its spyware technology to legitimate military, law enforcement and intelligence agencies for use against criminals and terrorists.
But in a statement to Reuters, NSO Group did not confirm or deny it was behind the Apple exploit.
“NSO Group will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime,” the company said.
Citizen Lab said it discovered the iMessage exploit while analysing the phone of a Saudi activist. The watchdog has been monitoring NSO Group for some years, but said this is the first time it was able to capture a specific exploit and find out how it works.
In a blog post explaining its findings, Citizen Lab said the exploit “targets Apple’s image rendering library”. It is holding back a more technical explanation of the Apple vulnerability to give users time to install the emergency security update.
But it has offered this: “The exploit works by exploiting an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics).”
Previous zero-click exploits linked to NSO Group have targeted WhatsApp. Another, called KISMET and targeting iMessage, was blocked in a previous Apple security update called BlastDoor.
“We suspect that NSO Group developed FORCEDENTRY, which circumvents BlastDoor, in response to this mitigation,” said Citizen Lab.
While the vulnerability could provide an attacker with a dangerous level of access, security experts and Apple highlighted it was unlikely to pose a threat to most of the world’s billion iPhone owners due to the complexity and cost required.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” said Ivan Krstić, head of Apple security engineering and architecture, in a statement.
Jake Moore, cybersecurity specialist at ESET, said: “These rare but powerful hacks can be extremely intrusive and those targeted will be left with little they can do to stop them.”
Sam Curry, chief security officer at Cybereason, said the Apple vulnerability “shouldn’t be a cause for panic” and to stay calm and download the latest software update.
He added: “Follow Apple’s instructions if you think you are infected and consult your IT department.”
Historically, Apple devices have been considered more secure than Android, in part due to its closed system that means software can only be installed via its App Store. But GlobalData thematic analysts previously noted that the NSO spyware “damages Apple’s security credentials”.
Apple is ranked sixth out of 44 companies for application software security by GlobalData’s thematic scorecard.
The iPhone security threat comes as the tech giant is expected to unveil new iPhones and other devices at its “California Streaming” event today.
The capabilities of Pegasus software first came to light in May 2019 when the Financial Times revealed the spyware could infiltrate end-to-end encryption protected messaging app WhatsApp.
Facebook-owned WhatsApp has sued NSO Group over this. The suit is still ongoing.
In January 2020 the United Nations called for an investigation into the hacking of Amazon founder Jeff Bezos’ phone. The Crown Prince of Saudi Arabia had allegedly ordered the breach. The attackers used spyware sold by a private company “such as the NSO Group’s Pegasus-3 malware”, the UN said at the time.
At the time, an NSO spokesperson “unequivocally” denied its technology was used “in this instance”.