Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label BlastDoor. Show all posts

New Zero-Click iMessage Exploit Used to Deploy Pegasus Spyware

 

Citizen Lab's digital threat researchers have discovered a new zero-click iMessage exploit that was exploited to install NSO Group's Pegasus spyware on Bahraini activists' smartphones. In total, nine Bahraini activists (including members of the Bahrain Center for Human Rights, Waad, and Al Wefaq) had their iPhones hacked in a campaign conducted by a Pegasus operator linked to the Bahraini government with high confidence, according to Citizen Lab. 

After being compromised using two zero-click iMessage exploits (that do not involve user participation), the spyware was installed on their devices: the 2020 KISMET exploit and a new never-before-seen exploit named FORCEDENTRY. 

In February 2021, Citizen Lab first noticed NSO Group deploying the new zero-click FORCEDENTRY iMessage attack, which bypasses Apple's BlastDoor protection. BlastDoor, a structural change in iOS 14 aimed to stop message-based, zero-click attacks like this, had just been released the month before. BlastDoor was designed to prevent Pegasus attacks by operating as a "tightly sandboxed" service responsible for "almost all" of the parsing of untrusted data in iMessages, according to Samuel Groß of Google Project Zero.

“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said. “With the consent of targets, we shared these crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.” 

Attacks like the ones revealed by Citizen Lab, according to Ivan Krstić, head of Apple Security Engineering and Architecture, are highly targeted and hence nothing to worry about for most people, at least. Such attacks are "very complex, cost millions of dollars to design, often have a short shelf life, and are used to target specific individuals," according to Krstić. 

In addition to Apple's iMessage, NSO Group has a history of using other messaging apps, such as WhatsApp, to spread malware. Nonetheless, Citizen Lab believes that disabling iMessage and FaceTime in this circumstance, with these specific threats, may have blocked the threat actors. Researchers emphasized that disabling iMessage and FaceTime would not provide total security from zero-click assaults or adware.

NSO Group stated in a statement to Bloomberg that it hasn't read the report yet, but it has concerns about Citizen Lab's techniques and motivations. According to the company's statement, "If NSO gets reliable evidence relating to the system's misuse, the company will thoroughly investigate the claims and act accordingly."

Google Researcher Groß Identifies the BlastDoor Device in Apple iOS 14

 

Last year, Apple rolled out iOS 14 with many new features, tighter privacy laws, and elements that make the iPhone smarter, introducing to the iPhone and iPad versions a new safety mechanism primarily for the detection of malware attacks from the iMessage network. The BlastDoor Security Sandbox tool was launched in an upgrade to the iOS 14 in September 2020 and discovered that the MacOS 11.1 was running on the M1 powered Mac Mini after reverse engineering and is meant to protect parsing of untrusted data from messaging client iMessage. The service is claimed to be written in swift, a standard memory-safe language that is "significantly harder" for introducing classic vulnerabilities to memory manipulation into the codebase — in this iMessage.

The BlastDoor device, concealed inside iOS 14, has been identified by Samuel Groß, a security researcher with the Project Zero team of Google. The prosecutor wrote a blog post on the scope of the current framework to protect consumers from bad actors.

The main function of BlastDoor is to unpack and process incoming messages in a secure and isolated environment where any malicious code embedded in a message cannot communicate with, disrupt, or recover user data on the underlying operating system. The BlastDoor service only functions for iMessage, so it reads all the obtained data as a connection. When a link is submitted via iMessage, a sample of a webpage will first be made of the sending system and metadata (such as title and page descriptor) gathered until the link is bundled into a folder. This archive is then encrypted and directly submitted to iCloud servers with a temporary key. Once the connection is received, the keys sent to the receiver will be decoded. All this exists inside the operation BlastDoor. 

Since several security analysts had previously found out that the iMessage service did an inadequate job of sanitizing incoming user data, the need for a service such as BlastDoor was evident. In the last three years, several incidents have occurred in which security researchers or real-world attackers have discovered and exploited iMessage Remote Code Execution (RCE) problems to hack them by transmitting a simple email, picture, or video to a computer. 

In 2019, Groß and his fellow security researcher Natalie Silvanovich discovered "zero interaction" faults in iMessage, which could allow attackers to read the contents of iPhone files without any note or message. The BlastDoor device is likely to fix these problems.

Furthermoore, Groß stated in the blog post, "Overall, these changes are probably very close to the best that could've been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole."