Apple has issued a patch for a recently discovered vulnerability that has reportedly been exploited by government customers of Israeli cyber security firm NSO Group to install its Pegasus spyware on target Apple devices.
Listed as CVE-2021-30860, the arbitrary code execution vulnerability was uncovered by The Citizen Lab – which has been investigating and campaigning against the use of NSO’s products by various governments to spy on activists, journalists and politicians.
The zero-day, which The Citizen Lab has dubbed ForcedEntry, was discovered during analysis of a Saudi activist’s phone that had been infected with Pegasus, and first disclosed in August 2021. Following its investigation, the group claimed NSO has been using CVE-2021-30860 since February 2021. ForcedEntry is an integer overflow vulnerability that exists in Apple’s CoreGraphics image rendering library and can be exploited if the target processes a maliciously crafted PDF file.
The Citizen Lab said ForcedEntry impacts all iPhones running iOS versions before 14.8, all Mac computers running OSX prior to Big Sur 11.6 Security Update 2021-005 Catalina, and Apple Watches running prior to watchOS 7.6.2. In its disclosure, Apple additionally stated that iPhone 6s and later, all models of iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation are at risk.
“Despite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains the seeds of their ongoing unmasking,” wrote The Citizen Lab’s research team members, Bill Marczak, John Scott-Railton, Bahir Abdul Razzak, Noura Al-Jizawi, Siena Anstis, Kristin Berdan and Ron Deibert, in a disclosure blog.
“Selling technology to governments that will use the technology recklessly in violation of international human rights law ultimately facilitates discovery of the spyware by investigatory watchdog organisations, as we and others have shown on multiple prior occasions, and as was the case again here.
“Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism as a service’ for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed,” they added.
Apple’s head of security engineering and architecture Ivan Krstíc commended the research team for their work in obtaining a sample of ForcedEntry so that a patch could be quickly developed.
In a statement to the UK’s Guardian newspaper, Krstíc said attacks such as the ones developed at NSO were sophisticated, often short-lived, and used in limited, specific circumstances, and as such were less likely to impact the majority of users of Apple products.
Nick Tausek, security solutions architects at Swimlane, commented: “This zero-day, zero-click vulnerability is significant because it requires no user interaction and impacts all versions of Apple’s iOS, OSX, and watchOS.
“While the first inclination is to focus the impact to consumers, the much larger danger lies within companies whose employees are using their personal Apple devices for work.
“To prevent vulnerabilities such as this one from compromising employees and the organisation’s sensitive data, companies should look to centralise and automate their current security threat detection, response and investigation protocols into a single platform.
“By embracing comprehensive security automation, security teams can also free up time to keep up with the evolution of threat tactics, ultimately enhancing security preparedness,” he added.
Time for action
NSO continues to maintain that it sells Pegasus only to a set of carefully vetted government bodies and law enforcement agencies, and that any malicious use of its products results in access being terminated.
It states that Pegasus has helped disrupt terrorist attacks and sex- and drug-trafficking rings, bring child abusers to justice, and assist emergency services in locating survivors following natural disasters.
Nevertheless, as knowledge of how Pegasus is used by some governments continues to spread, calls are growing for investigations into NSO’s business, with US lawmakers among those accusing the company of an “arrogant disregard” for the concerns surrounding its use. United Nations (UN) human rights experts have also called for a global moratorium on the use of surveillance technology.
Among those advocating for global action on surveillance technology is Comparitech privacy advocate and security commentator Paul Bischoff. In earlier comments shared with Computer Weekly, Bischoff said: “NSO Group says it only sells its software to legitimate government agencies, but the evidence shows it’s repeatedly being used to target journalists, dissidents, and activists by authorities with histories of corruption and human rights abuses.
“Those authorities would not have the same spying capabilities without NSO Group. There is no real legitimate use for NSO Group’s malware. We should immediately declare an international moratorium on private sales of spyware.”