Got an Apple product? Make sure it's updated [Zero-day, zero click, FORCEDENTRY]

[wanderingfool2]

Apple has released an emergency security patch for iPhones, iWatches, Macs, and iPads.  The flaw exists in iMessage and is exploited by sending a specially crafted psd file and has been used by the NSO group to install Pegasus spyware.  The exploit was discovered by a team of researchers analyzing phones of people who had the spyware and has now been patched.

 

If you own an Apple product make sure it is up-to-date; as I'm sure it's just bound time before someone reverses it and tries a non-targets general attack.

 

https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/

Quote

While analyzing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, we discovered a zero-day zero-click exploit against iMessage. The exploit, which we call FORCEDENTRY, targets Apple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.

Quote

27 copies of an identical file with the “.gif” extension. Despite the extension, the file was actually a 748-byte Adobe PSD file. Each copy of this file caused an IMTranscoderAgent crash on the device. These files each had random-looking ten-character filenames.

https://gizmodo.com/go-update-your-iphone-ipad-mac-and-apple-watch-right-1847667694

Quote

Meanwhile, as Citizen Lab researcher John Scott-Railton told the New York Times, whoever is behind the exploit can do “everything an iPhone user can do on their device and more” once it’s infected. This includes tracking any texts or emails sent, any calls made, and switching on a device’s camera without the user’s knowledge. Even if those communications happen over an encrypted app, like Signal or Telegram, NSO can still harvest that data and pass it back to their clientele, the Times reports.

 

This doesn't really surprise me.  It always seems as though it is the image processing that ends up being the target of exploits (so many things that can go wrong in an image file, and yet users expect that images should be displayed).  I predict that there will be a day when one of these exploits (either Android or Apple...or worse both at once) are released for the sole purpose of disruption of the cell network (terrorist kind of attack).  Imagine if this was used to make it self replicating, sends a message to all the person's friends contacts, and then all at once kill the device or flood the network.  With our modern reliance on phones, this kind of attack could be used to severely disrupt commerce.

 

This is also why I dislike auto-preview from unknown contacts...I'm surprised that more apps don't have the option to disable that.

[CephDigital]

I misread FORCENTRY as FORCEDENTISTRY for some reason

[WhitetailAni]

Why the heck does this take 1.26GB of free space to install?

[JLO64]

Lol, I love reading this while the apple event is going on right now.

[GDRRiley]

==thread cleaned==

do not make this apple vs android

[Helpful Tech Witch]

Hm....

So i can not get spyware, OR I can get a jailbreak when this is misused into one in half a month?

[Helpful Tech Witch]

2 minutes ago, HelpfulTechWizard said:

Hm....

So i can not get spyware, OR I can get a jailbreak when this is misused into one in half a month?

Wait, was this patched on accident on the ios15 beta? I dont have a update for it, ive not installed a update for a while. 

[wanderingfool2]

4 minutes ago, HelpfulTechWizard said:

Wait, was this patched on accident on the ios15 beta? I dont have a update for it, ive not installed a update for a while. 

From what I can tell ios15 beta hasn't been patched yet (but will hopefully soon).  I don't have any official source on that though, just things on reddit so take it with a grain of salt...given how far back this was though I am guessing it likely is exploitable on IOS 15 beta though.

[Helpful Tech Witch]

Just now, wanderingfool2 said:

From what I can tell ios15 beta hasn't been patched yet (but will hopefully soon).  I don't have any official source on that though, just things on reddit so take it with a grain of salt...given how far back this was though I am guessing it likely is exploitable on IOS 15 beta though.

The link you posted says running ios 14.8 or below, hence my confusion.

[Lightwreather]

1 hour ago, wanderingfool2 said:

The flaw exists in iMessage

Well then, I guess this doesn't apply to my Hackintosh

(I hadn't set it up, and basically forced it to not work by accident, so yea)

Unless ofc, it moves on from iMessage

[duncannah]

iOS 15 GM (basically a pre-release) just released, not exactly sure if it includes a patch for this exploit

[Helpful Tech Witch]

10 minutes ago, duncannah said:

iOS 15 GM (basically a pre-release) just released, not exactly sure if it includes a patch for this exploit

looks like a full release?
It doesnt have beta in the name, and the info is an actual description, not a link to the ios 15 website

ALSO WOW 6.08GB!??!??? The hell they adding? The library of congress or some crap?

[LAwLz]

I thinks it's worth noting that this exploit was developed in collaboration with governments in order to "investigate terrorism and crime". 

 

 

Who would have thought that an exploit used by governments to circumvent protection on our devices would end up being used for malicious purposes... 

I am very surprised by this since it has never happened before. 

 

(heavy sarcasm) 

 

 

This exploit was developed in order to fight terrorism but has since been found to be misused to spy on journalists, human rights activists, diplomats, doctors, union leaders and politicians among others. It's not like it is happening in countries like China either. It's happening in western civilized countries like France and Hungary as well. 

[StDragon]

27 minutes ago, HelpfulTechWizard said:

ALSO WOW 6.08GB!??!??? The hell they adding? The library of congress or some crap?

Apple spyware to ensure you don't engage in "wrong think". All that AI, it takes extra code and processing cycles to pull that off. Thank goodness the power of iPhone 13 can help take a load off it. amiright?

[Helpful Tech Witch]

10 minutes ago, StDragon said:

Apple spyware to ensure you don't engage in "wrong think". All that AI, it takes extra code and processing cycles to pull that off. Thank goodness the power of iPhone 13 can help take a load off it. amiright?

Theres not anything in that thats not in the beta.

Actually the final release is going to remove a lot of stuff thats beta, including a whole app

really, its probably just a less efficent than possable update

[Vishera]

8 minutes ago, LAwLz said:

I thinks it's worth noting that this exploit was developed in collaboration with governments in order to "investigate terrorism and crime". 

 

 

Who would have thought that an exploit used by governments to circumvent protection on our devices would end up being used for malicious purposes... 

I am very surprised by this since it has never happened before. 

 

(heavy sarcasm) 

NSO is a private cyber intelligence company that found this exploit and used it,

As far as i know they are the only ones who knew and exploited it.

 

NSO developed it's tools by itself,and didn't collaborate with any government to develop their technologies. 

 

NSO let governments with no cyber capabilities to rent their services and buy licenses to their software.

 

Apparently many of their clients violated the terms of service and used their tech for things other than fighting terrorism.

[LAwLz]

1 hour ago, Vishera said:

NSO is a private cyber intelligence company that found this exploit and used it,

As far as i know they are the only ones who knew and exploited it.

 

NSO developed it's tools by itself,and didn't collaborate with any government to develop their technologies. 

I guess it depends on what you define as "collaboration". To elaborate on what I mean, the NSO Group's customers are governments so that's where the money comes from and a lot of their employees including the founders are formal government employees (more specifically, the Israeli Intelligence Corps, which is part of the Israel Defense Forces). Other reasons for why I say it was a collaboration with governments are because, it's the Israeli Ministry of Defense that handles the licensing of the software, and from experience, when you got multi-year long contracts with government to provide them a service they often come with their own input. These types of contracts are not as one-sided as most consumer facing deals are. 

 

Do I think government employees sat alongside NSO and wrote code? Probably not, but when a piece of software like this is developed by ex-government employees (that most likely still have contact with their former employers), the software is funded by governments, who also provide feedback and change requests, and the government is involved with the licensing of the software, then I think it's fair to say it's a collaboration.

On top of all that, the Israeli government has even been participating in marketing meetings when the software was being sold. For example it was Israel's government that encouraged the UAE and other gulf states to buy the software. 

 

 

1 hour ago, Vishera said:

NSO let governments with no cyber capabilities to rent their services and buy licenses to their software.

 

Apparently many of their clients violated the terms of service and used their tech for things other than fighting terrorism.

It's not just countries with no cyber capabilities that has bought these services. Australia is one of their customers and they got a really big cyber security branch that are also backed by the US and the UK among others (through 5 eyes). Israel is also a customer and as you probably know, they are pretty big into cyber warfare.

 

Anyway, I am not surprised that many of their clients ended up abusing these tools. We see it time and time again. Give someone some power and they will end up using it for their own personal gains sooner or later. And in the case of this malware, once the genie is out of the bottle there isn't much that can be done. Detecting misuse is also very hard since NSO can't possibly keep track of the hundreds of thousands of people this tool is being used against.

Hell, I am not even sure NSO cares. If you sell your software to known dictatorships with a well known history of abuse then you can't really play ignorant and go "we had no idea our software was being used for the wrong purposes".

[Zodiark1593]

Of course, said important security fix cannot be downloaded over my unlimited data plan…

 

Some things Apple does really makes no sense. I’ll have to wait a bit to get to a wifi point. 

[Spotty]

Thread cleaned again. No fanboy arguments. If you see someone instigating fanboy arguments don't get caught up in it.

• Encourage the freedom of expression and exchange of information in a mature and responsible manner.
• "Don't be a dick" - Wil Wheaton.
• "Be excellent to each other" - Bill and Ted.
• No trolling or flame-bait.
  • This includes topics such as AMD vs NVIDIA, "company X sucks", and religious debates

[leadeater]

14 hours ago, wanderingfool2 said:

Imagine if this was used to make it self replicating, sends a message to all the person's friends contacts, and then all at once kill the device or flood the network.  With our modern reliance on phones, this kind of attack could be used to severely disrupt commerce.

I don't think they haven't thought of it but damn I don't want to give them any ideas either. After every major event or disaster cell networks get hammered and basically fail. A replicating denial of service malware would easily do the same, ahhhh.

[WolframaticAlpha]

1+ GB for a patch or for a full .x upgrade? 1 gig patches are really unusual. Just goes on to show you how dangerous the spyware was. Nobody should be able to develop and use shit like this. 

[Master Disaster]

15 hours ago, wanderingfool2 said:

Imagine if this was used to make it self replicating, sends a message to all the person's friends contacts, and then all at once kill the device or flood the network.  With our modern reliance on phones, this kind of attack could be used to severely disrupt commerce.

That would be a bad thing for the exploit. The point of having a zero day is that nobody knows about it and the thing that keeps zero days a secret is mild and targeted use. The more exposure you give your malware, the more chance there is of people discovering it and it being patched.

 

If the intent was a huge DDOS or to deliver ransomware then sure but in this case the intent was very much covert spying of targeted individuals.

 

Of course there's nothing stopping other entities from discovering it (cough CCP cough), forking a variant with any changes they want and releasing it, this is why NSO only deal with governments.

[Kilrah]

1 hour ago, Master Disaster said:

That would be a bad thing for the exploit. The point of having a zero day is that nobody knows about it and the thing that keeps zero days a secret is mild and targeted use.

But he was precisely talking of the use case where you don't care about blowing the exploit, just use it once to create the most havok possible. 

[Master Disaster]

6 minutes ago, Kilrah said:

But he was precisely talking of the use case where you don't care about blowing the exploit, just use it once to create the most havok possible. 

Oh I know, I even alluded to that later in the post. I was just talking more in general terms, its pretty unusual for a zero day to be used to cause mass havoc, most people sit of them and use them carefully.

[StDragon]

I've known several people whom haven't updated iOS in ages because their phones are full of pictures and video. Transferring photos with iOS is a major PITA that involves using iTunes with a lightning cable. I really wish they made it easier to enable a function (temporarily for security reasons) the access the phone like a USB flash drive and copy files manually (drag and drop in Windows Explorer).

 

Of course Apple's solution is just to get more iCloud storage or upgrade the phone with more storage.