Cyber-security watchdog Citizen Lab saw the new zero-day FORCEDENTRY exploit successfully deployed against iOS versions 14.4 & 14.6, getting past Apple’s new BlastDoor ‘sandboxing’ feature to install spyware on the iPhones of Bahraini activists – even 1 living in London at the time.
A never-before-seen, zero-click iMessaging exploit has been allegedly used to illegally spy on Bahraini activists with NSO Group’s Pegasus spyware, according to cyber-security watchdog Citizen Lab.
FORCEDENTRY
The digital researchers are calling the new iMessaging exploit FORCEDENTRY.
In a report published on Tues., researchers commented that they’ve identified 9 Bahraini activists whose iPhones were inflicted with Pegasus spyware between June 2020 & Feb. 2021. Some of the activists’ phones suffered zero-click iMessage attacks that, besides FORCEDENTRY, also included the 2020 KISMET exploit.
The activists included 3 members of Waad (a secular Bahraini political society), 3 members of the Bahrain Centre for Human Rights, 2 exiled Bahraini dissidents, & 1 member of Al Wefaq (a Shiite Bahraini political society), Citizen Lab wrote.
London
At least 1 of the activists lived in London when the exploit was released, Citizen Lab stated. That’s a new factor, given that researchers have only seen the Bahraini Govt. spying in Bahrain & Qatar, never in Europe. It could mean that the activist in London “may have been hacked by a Pegasus operator associated with a different govt.” Citizen Lab suggested.
At least 4 of the targets were attacked by LULU: a Pegasus operator that Citizen Lab attributes with “high confidence” to the Bahraini Govt., which has a history of using commercially available spyware.
One of the activists was targeted in 2020 several hours after they revealed during an interview that their phone was infected with Pegasus in 2019.
New iPhone Zero-Click Exploit Occurred in Feb.
Citizen Lab 1st observed NSO Group deploying the new zero-click FORCEDENTRY iMessage exploit – which circumvents Apple’s BlastDoor feature – in Feb. 2021. Apple had just introduced BlastDoor, a structural improvement in iOS 14 meant to block message-based, zero-click exploits like this – the month before.
BlastDoor was supposed to prevent this type of Pegasus attack by acting as what Google Project Zero’s Samuel Groß called a “tightly sandboxed” service responsible for “almost all” of the parsing of untrusted data in iMessages.
So much for all that. “We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said. “With the consent of targets, we shared these crash logs & some additional phone logs relating to KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.”
Apple Responds
Ivan Krstić, head of Apple Security Engineering & Architecture, explained on Tues. that attacks such as the ones described by Citizen Lab are highly targeted & thus nothing to worry about … for most people, at any rate. In a statement, Krstić observed that such attacks are “highly sophisticated, cost millions of dollars to develop, often have a short shelf life, & are used to target specific individuals.”
As such, they’re “not a threat to the overwhelming majority of our users,” Krstić wrote, although Apple continues to “try to protect all of its customers & is constantly adding new protections for their devices & data.”
Another Apple spokesperson noted to that BlastDoor isn’t the end-all, be-all when it comes to securing iMessage, that Apple has significantly boosted defences in iOS 15 & will continue to do so. Security is, after all, a dynamic process, & Apple is constantly working to respond to new threats as they emerge, the spokesperson said.
If You’re Not ‘Most People’
Besides Apple’s iMessage, NSO Group has a track record of exploiting other messaging apps, such as WhatsApp, in order to deliver its malware. Still, Citizen Lab thinks that in this particular case, with these particular attacks, disabling iMessage & FaceTime might have thwarted the threat players. “Disabling iMessage & FaceTime would not offer complete protection from zero-click attacks or spyware,” researchers noted.
Plus, it has trade-offs: “Disabling iMessage means that messages exchanged via Apple’s built-in Messages app would be sent unencrypted (i.e., ‘green messages’ instead of ‘blue messages’), making them trivial for an attacker to intercept,” according to the report.
Encrypted Messaging
Of course, there are other end-to-end encrypted messaging apps to consider when it comes to minimising your attack surface.
Taylor Gulley, Senior Application Security Consultant at app security provider nVisium, commented on Tues. that disabling widely used methods of communication can at least force attackers to jump through more hoops, given that it forces them “to invest more time & effort into discovering new exploits for the avenues that remain.”
To minimize attack surface via messaging, that means limiting the number of messaging apps installed, only accepting messages from known contacts, & preventing those messages received from automatically fetching media, Gulley noted. “All of these act as additional barriers between you and a malicious message.”
Vulnerabilities
Gulley pointed out that there have been a number of vulnerabilities in recent years for both iOS & Android messaging apps.
Hank Schless, Senior Manager of Security Solutions at endpoint-to-cloud security company Lookout, noted that there’s an Android version of Pegasus known as Chrysaor, uncovered in 2017 by Lookout & Google.
It has almost the exact same capabilities on Android as Pegasus does on iOS, Schless stated, including gaining root access to the target device & being able to read anything on the device even if it’s in an app with encrypted messaging.
Infect the Device
Chrysaor differs from Pegasus in that it doesn’t rely on zero-day vulnerabilities in order to infect the device, Schless explained in an email. Rather, it relies on a well-known rooting technique called Framaroot.
Still, the attack chains of both Pegasus & Chrysaor are the same: “The attacker sends the targeted individual a socially engineered message across any platform with messaging capabilities & silently delivers the vicious surveillance-ware to the device,” he described.
“Unfortunately, this means that targets are at risk regardless of the OS their device runs on. It also means that almost no data is safe since root access to a device gives the attacker control & access to everything.”
Jailbreak
An attempted jailbreak or root of a device is one of the biggest signs of malware being present on the device, Schless cautioned.
Admins of mobile apps – including Lookout – “can set policies that block a device from the internet & alert the user as soon as that malicious functionality is detected” he noted.
A better option than either Android or iOS may be to use an open-source messaging app built from the ground up with security in mind, such as Signal, Gulley observed via email. That gives you 2 fallbacks: “Auditing the code yourself as a user or to some degree, relying on the community to audit it for you.”
Independently Audited
Open-source apps aren’t necessarily any more secure than proprietary apps, Gulley suggested, but at least they can be independently audited. “Despite their best intentions, securing your data and device is secondary to these companies who — let’s be honest — are ultimately there to make money off ads, devices, & services,” the consultant observed.
“If these kinds of zero-day flaws were easy to discover, they would be less likely to have been created in the 1st place. This is evident by the fact that numerous open- & closed-source apps have been exploited by zero-day attacks — an unfortunate reality that will continue well into the future.”
NSO Group Responds
NSO Group said in a statement given to Bloomberg that it hadn’t yet seen the report, but nonetheless, the company questions Citizen Lab’s methods & motives. “If NSO receives reliable information related to the misuse of the system, the company will vigorously investigate the claims & act accordingly,” according to its statement.
A number of questions were posed to the NSO Group, the 1st being whether or not anybody at the Israeli company has read Citizen Lab’s report yet.
Also, NSO Group were asked to explain what specific questions it has about Citizen Lab’s “methods & motives;” what source, & the nature of the information, that it would consider reliable; examples of when NSO Group has launched an investigation into misuse of its technology; & what the outcome has been.
Transparency & Responsibility Report
An NSO Group spokesperson explained that these questions are addressed in the company’s Transparency & Responsibility Report (PDF), which claims that since 2016, it’s cut off 5 customers following an investigation of misuse. The pamphlet doesn’t identify the customers.
Lookout’s Schless pointed out that ever since Lookout & Citizen Lab 1st discovered Pegasus back in 2016, NSO has maintained the stance that its spyware is only sold to a handful of intelligence communities within countries that have been thoroughly vetted for human rights violations.
50,000 Phone Numbers
“Their proactive statements about the Citizen Lab is just another attempt at maintaining this narrative in the media,” he stated. “The recent exposure of 50,000 phone numbers linked to targets of NSO Group customers was all people needed to see right through what NSO claims.”
Schless called Citizen Lab “a leader in the security research field” that “openly works together with private sector organisations to ensure that the world is made aware of threats across the Internet as a means to stay safer & more secure.”
Growing Pile
As far as NSO Group’s own methods & motives go, they’re getting beaucoup scrutiny in the courts & in protests by infuriated citizens & lawmakers around the world. It’s on the hot seat in these cases:
Budapest: Last month, about 1,000 people protested & Hungary’s opposition called for ministerial resignations from Viktor Orbán’s far-right government over allegations that it secretly, illegally surveilled journalists, media owners & opposition political figures with Pegasus.
India: Also in July, protests erupted in India’s parliament, with the opposition party calling Prime Minister Narendra Modi’s government’s alleged use of NSO Group’s military-grade Pegasus to spy on political opponents & others “a national security threat.”
France: Last month, French President Emmanuel Macon switched his phone and number after reports that he, along with 14 French ministers, were allegedly flagged for potential Pegasus surveillance by Morocco. French lawmakers launched an investigation into the allegations.
California: Facebook’s suing NSO Group in US Federal Court over alleged spying on WhatsApp users. In Dec. 2020, a roster of tech companies filed amicus briefs in support of its legal action, including Microsoft, Google, Cisco, & VMWare.
United Nations: Also in July, the UN human rights chief decried the widespread use of Pegasus to illegally undermine the rights of those under surveillance, including journalists & politicians, calling it “extremely alarming” & saying that it confirmed “some of the worst fears” surrounding the potential misuse of such technology.
Human rights experts working with the UN called for a moratorium on the sale & transfer of spyware & other surveillance technology until they’ve instituted “robust regulations that guarantee its use in compliance with international human rights standards.”
Amnesty International: The human rights group has accused Saudi Arabia of using Pegasus to spy on its employees. In 2019, Amnesty announced that it was taking the Israeli Ministry of Defence (MoD) to court to force it to revoke NSO Group’s export license.
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/
