Follow us

Apple’s biggest bite place − invasion of Zero-Click is continuing

Thousands of iPhone users affected by the zero-click vulnerability and Pegasus spyware.

Updated: September 23, 2021 By Darina Shramko

Colorful iPhones with bug

Attention: a dangerous worm found in your apple that can cause irreparable harm to you! But...unfortunately, I'm not talking about the juicy fruits of the apple tree at all.

So, what is this mysterious worm, and why is it so dangerous? Well, the fact is that a vulnerability a found in all Apple devices, with which the company's developers have been struggling for more than one year.

In the current version of the iOS firmware, a new zero-click exploit called Pegasus, created by an NSO Group Israeli company.

Initially, Pegasus was created for law enforcement to conduct investigations and gather evidence. However, falling into the wrong hands, this exploit became a dangerous virus that spread across the planet.

For example, representatives of Amnesty International reported the injured journalists and lawyers whose iPhones were hack through the iMessage.

So, how serious a zero-click vuln is and what needs to protect your Apple devices − read about this and much more in my today's guide!

Why is Zero-Click vulnerability so dangerous?

Zero-click is far from a new vulnerability, but it received widespread publicity after an information security researcher with an s1guza nickname posted on his Twitter message that he discovered a zero-day vulnerability in iOS 13.4.

Siguza’s message on Twitter about zero-click vuln in the 13.4 iOS firmware

Then, a year ago, his message blew up the public, and the researcher still managed to attract attention to the problem.

So, a zero-click is a remote attack on a device that does not require any additional action from the user.

A zero-click attack can be carried out over the air. For the successful implementation of the threat, it is enough for the victim to be within the range of the desired wireless communication channel.

According to the rights organization Citizen Lab and an international consortium, thousands of journalists, politicians, and activists who criticize the political order of authoritarian governments such as Mexico, Morocco, and the United Arab Emirates have become victims of a zero-click attack.

Reveals that the journalists' phones were infected and hacked using Pegasus spyware through a zero-click vulnerability in Apple iOS iMessage.

The presence of an exploit for a 0-click flaw in iMessage is dangerous because a virus can penetrate a person's device almost without his knowledge − the victim only needs to read the message with the infected link without even opening it.

For example, representatives of Amnesty International reported hacking of the phones of political activists and journalists, whose iPhones were running on iOS 14.6 (the current firmware version is currently 14.8).

Amnesty International's research confirms by Bill Marshak of Citizen Lab, which analyzed Pegasus spyware. According to experts, the Pegasus program was installed on the iPhone 12 Pro Max with iOS 14.6 and higher firmware without user interaction.

I was amazed that even the vaunted BlastDoor, which Apple's programmers implemented in iOS 14, could not resist the zero-click attack. BlastDoor was created as a shield between viruses and user data, blocking and filtering out malicious files.

Apple didn't announce the introduction of BlastDoor in iOS 14; however, we still managed to find out the opinion of experts about the degree of security of the new function.

For example, a security specialist from Google Project Zero, Samuel Groß, describes BlastDoor as a strictly isolated service responsible for analyzing all unreliable data in iMessage.

BlastDoor implementation

Image source − googleprojectzero.blogspot.com

So, BlastDoor is an iMessage security service that executes code separately from the OS.

BlastDoor service scans all incoming messages and their content in a secure environment that prevents any malicious code inside the iMessage from interacting with iOS or accessing user data.

The idea, of course, is a good one. But the implementation, as practice shows, is not very good.

As you can see, the iOS 14 firmware still could not resist the malicious Pegasus code.

Due to its ability to bypass BlastDoor, the zero-click exploit was named FORCEDENTRY, which is often used in the slang of programmers and cybersecurity specialists.

Now that we have figured out the principle of operation of the zero-click and the implementation of BlastDoor, it's time to move on to the main question − what is Pegasus, and why is it so dangerous?


How Pegasus spyware works?

Pegasus is spyware developed by the Israeli company NSO Group for law enforcement agencies to investigate crimes.

Pegasus' capabilities allow customers (according to the company − exclusively to governments and never to individuals) to select specific phone numbers for investigating crimes.

Rather than trying to intercept encrypted data transmitted from one device to another, Pegasus allows the user to control the device itself and gain access to everything stored on it. Pegasus guarantees 24/7 remote access to the device.

The spyware monitors the keystrokes on the infected device − search queries and even passwords - and then passes them on to the client. Pegasus also has access to the phone's microphone and camera, turning it into a mobile spy device.

Hacking a phone allows a hacker to gain administrator rights on a device. This allows you to do whatever you want on your phone.

− Claudio Guarneri of Amnesty Security Lab, which developed a methodology for analyzing infected devices.

How Pegasus Spyware works

Image source − blog.qualys.com

Governments of many countries want to take advantage of Pegasus' capabilities because it will help track the movement of terrorists and criminals and investigate crimes.

However, the scandal of the iPhone hacking shows that the NSO Group most likely sold its technology to countries with a dubious human rights record.

The testimonies of activists and public figures show that India, Azerbaijan, Mexico, the United Arab Emirates, Saudi Arabia, Rwanda, and others have successfully used NSO Group spyware for personal gain.

I conducted my investigation and found out that iMessage is not the only target for Pegasus.

An interesting document came into my hands − Technical Analysis of the Pegasus Exploits on iOS. After analyzing the technical manual, I found out that a zero-day vulnerability also was found in the Safari browser.

The principle of the attack is simple: the user only needs to click on the phishing link in the Safari browser.

The exploit, dubbed Trident, uses the Safari web browser to launch a JavaScript payload that exploits the original vulnerability to execute arbitrary code in the context of the Safari WebContent process. The first stage of Pegasus exploits a vulnerability in WebKit’s JavaScriptCore library (CVE-2016-4657).

Further, in the second stage of the attack, a kernel information leak is used (CVE-2016-4655). This prepares the device for kernel memory corruption (CVE-2016-4656), which ultimately leads to a jailbreak.

Finally, the third and most difficult step is getting root access on the iPhone, disabling code signing, and then drop and activating the jailbreak binary. This step exploits the latest Trident vulnerability, where kernel memory corruption leads to a jailbreak (CVE-2016-4656).

Trident, unlike FORCEDENTRY, is a rather old virus since it was discovered several years ago in iOS 9.

Based on this, we can conclude that hacking the iPhones of journalists with the help of Pegasus is far from the first case of misuse of spyware.

During my research, I also found that many enthusiasts publish on GitHub their prototypes of Pegasus exploits.

Prototypes of Pegasus exploits on GitHub

After the scandal with the hacking of journalists' iPhones, curious Internet users flooded the forums in the hope of finding the Pegasus code or a link to download the program.

User’s questions about Pegasus on IT-forums

Forum’s administrators closed such threads for security reasons, trying to avoid the spread of malicious links.

Important: everything that an issue on the Internet under the guise of Pegasus code is just an improvisation of programmers since the original Pegasus costs a lot of money and is used exclusively in government environments. It is impossible to buy Pegasus without special permission!

Despite the interest, I still don’t recommend using the exploit on your device, even for experimental purposes.

Pegasus is not an entertainment but serious state-level spyware. The fact that such fundamental software used by third parties to spy on journalists is unacceptable!


How to secure your iPhone?

It’s unlikely that the distribution of Pegasus will reach critical proportions because the development and application of the program cost a lot of money.

I, like my colleagues, assume that the malware action of the spyware will direct at individuals (as it happened to journalists due to political motivation). However, even if you aren’t an Agent 007, it’s too early to relax.

Who knows what surprises hackers will bring us, so I still recommend taking care of the security of your iOS device now before it's too late.

So, where do you start?

  • The first thing you should do is update your software.

To do this, go to Settings − General − Software Update.

iPhone Software Updating

Always download the new firmware version! Apple developers fix bugs and increase device security with each new version.

By the way, I highly recommend enabling automatic software updates so you can always get the latest version of the firmware.

  • Having studied the peculiarities of the distribution of Pegasus, I can argue that malicious code can get to devices both through the iMessage and through the standard Safari browser.

Unfortunately, the Apple developers have not yet provided for the removal of the iMessage, but...with Safari, everything is not so categorical.

The most radical way is to stop using Safari and switch to safe browsers (for example, Aloha Browser) and private search engines.

  • Use VPN services. These apps block your current traffic and hide your real identity, so an attacker won't be able to track you down by your IP or location.
  • Don't click on suspicious links and open messages in mail marked “Spam” − they may contain viruses or phishing links.

Conclusion

No one could expect that the countries' governments to use spyware for personal gain.

Until people realize how serious the capabilities of Pegasus are, mobile devices will remain at risk.

I hope that with the release of iOS 15, the zero-click vulnerability will disappear from devices forever, and millions of Apple device users will feel safe again.

I was glad to talk with you on such a topic and to warn you about the possible dangers that your iPhone hides. Even if you are not a politician, you still need to take care of data security because who knows how far the authorities will go in their desire to control society.

Dear readers, share your opinion about Pegasus in the comments. Do you think the victims will be able to prove the guilt of NSO Group?

Take care of yourself and see you soon!

Author
Darina Shramko
Cybersecurity specialist and researcher.

Write a review

click to select