Apple users urged to update software immediately after new iMessage vulnerability found

The vulnerability requires no user interaction and defeats Apple's security systems.
The vulnerability requires no user interaction and defeats Apple's security systems. Photo credit: Getty Images

New Zealand's cybersecurity agency CERT NZ has recommended Apple users update their software "as soon as possible" after a cyber surveillance company based in Israel developed a tool to break into iPhones.

"Attackers are exploiting a vulnerability referred to as 'ForcedEntry' which affects iOS, macOS, and watchOS which allows a remote attacker to gain access to a device without any user interaction," the agency wrote.

"The vulnerability has been exploited since at least February 2021. Apple has released an update to resolve this vulnerability."

If the tool is used, an attacker can execute arbitrary code on the affected device. This could mean internet passwords, online banking accounts and more could be impacted.

Reuters reported the exploit was created by NSO Group, who developed the Pegasus spyware.

In July it was reported its spyware was used in attempted and successful hacks of 37 smartphones belonging to journalists, government officials and human rights activists around the world, including French President Emmanuel Macron.

An Apple spokesperson declined to comment regarding whether the hacking technique came from NSO Group.

An NSO spokesperson did not immediately respond to a request for comment.

Citizen Lab said it found the malware on the phone of an unnamed Saudi activist and that the phone had been infected with spyware in February. It is unknown how many other users may have been infected.

The intended targets would not have to click on anything for the attack to work. Researchers said they did not believe there would be any visible indication that a hack had occurred.

The vulnerability lies in how iMessage automatically renders images. iMessage has been repeatedly targeted by NSO and other cyber arms dealers, prompting Apple to update its architecture. But that upgrade has not fully protected the system.

"Popular chat apps are at risk of becoming the soft underbelly of device security. Securing them should be top priority," said Citizen Lab researcher John Scott-Railton.

The US Cybersecurity and Infrastructure Security Agency had no immediate comment.

Citizen Lab said multiple details in the malware overlapped with prior attacks by NSO, including some that were never publicly reported.

One process within the hack's code was named "setframed," the same name given in a 2020 infection of a device used by a journalists at Al Jazeera, the researchers found.

"The security of devices is increasingly challenged by attackers," said Citizen Lab researcher Bill Marczak.

A record number of previously unknown attack methods, which can be sold for US$1 million or more, have been revealed this year. The attacks are labeled "zero-day" because software companies had zero days' notice of the problem.

Along with a surge in ransomware attacks against critical infrastructure, the explosion in such attacks has stoked a new focus on cybersecurity in the White House as well as renewed calls for regulation and international agreements to rein in malicious hacking.

As previously reported, the FBI has been investigating NSO, and Israel has set up a senior inter-ministerial team to assess allegations that its spyware has been abused on a global scale.