Apple released Security updates for a zero-day vulnerability that affects all iPhone, iPad, Mac, and Apple Watch. Citizen Lab, which discovered the vulnerability and was credited with the discovery, urges users to update their devices immediately.
The tech giant said iOS 14.8 for iPhones and iPads, along with new updates for Apple Watch and macOS, would fix at least one vulnerability it said “may have been actively exploited.”
Citizen Lab said it discovered new artifacts of the ForcedEntry vulnerability, details it first revealed in August as part of an investigation into the use of a zero-day vulnerability that was used to silently hack into iPhones owned by at least one Bahraini activist.
Last month, Citizen Lab said the zero-day flaw – so named because it gives companies a zero day to deploy a fix – took advantage of a flaw in Apple’s iMessage, which was exploited to push spyware. Pegasus, developed by Israeli company NSO Group, on the activist’s phone.
Pegasus gives its government clients nearly complete access to a target’s device, including their personal data, photos, messages, and location.
The breach was significant because the flaws exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May. But the exploit also pierced the new iPhone defenses that Apple had built into iOS 14, dubbed BlastDoor, which were supposed to prevent silent attacks by filtering out potentially malicious code. Citizen Lab calls this particular exploit ForcedEntry for its ability to bypass Apple’s BlastDoor protections.
In its latest findings, Citizen Lab said it found evidence of the ForcedEntry exploit on the iPhone of a Saudi activist, running the latest version of iOS at the time. The researchers said the exploit takes advantage of a weakness in the way Apple devices display images on the screen.
Citizen Lab now says the same ForcedEntry exploit works on all Apple devices running the latest software until today.
Citizen Lab said it communicated its findings to Apple on September 7. Apple has released updates to the vulnerability, officially known as CVE-2021-30860. Citizen Lab said he attributed the ForcedEntry exploit to the NSO Group with great confidence, citing evidence he saw that he had not yet published.
Citizen Lab researcher John Scott-Railton told TechCrunch that messaging apps, like iMessage, are increasingly the target of nation-state hacking operations and this latest finding underscores the challenges of securing them.
In a brief statement, Apple’s head of engineering and security architecture Ivan Krstić confirmed the fix.
“After identifying the vulnerability used by this exploit for iMessage, Apple quickly developed and deployed a patch in iOS 14.8 to protect our users. We would like to commend Citizen Lab for successfully completing the very difficult job of obtaining a sample of this exploit so that we can develop this fix quickly. Attacks like the ones described are very sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals. While this means that they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all of our customers, and we are constantly adding new protections for their devices and data, ”said Krstić.
NSO Group declined to answer our specific questions.
Updated with comment from Apple.