Apple iMessage Zero-Click Vulnerability
September 21, 2021
By now you’ve likely seen in the news a serious vulnerability in the “Apple ecosystem” with iMessage. While it has been well-covered in the media, for small business professionals there are two issues in particular we would like to bring to your attention that may help you better protect your business.
Many people praise the Apple ecosystem for the convenience it provides its users to sync, share, and socialize across multiple Apple devices. This convenience comes at a cost though, as these ever-connected devices can be more vulnerable to the spread of an infection. Especially with the versatility of services like iMessage, to send or receive a very wide range of file types across multiple devices seamlessly.
Thanks to a report released by Citizen Lab — a watchdog organization at the University of Toronto that researches and investigates the abuse of technology — Apple discovered that a security vulnerability, CVE-2021-30860, was used in an exploit that could infect devices with powerful spyware called Pegasus, made by the Israeli company NSO Group.
What is the issue?
This zero-click, zero-day vulnerability — dubbed ForcedEntry by Citizen Lab — targets Apple’s image rendering library (called CoreGraphics) and is effective against iOS, macOS, and watchOS devices. What is important to note, unlike other attacks, it can be executed without the user having to click, tap, or approve anything. This has obvious implications for small businesses, because no amount of staff training can prevent this kind of penetration.
In this case, Citizen Lab discovered that devices were sent seemingly harmless GIF files that were intentionally mislabeled. These files received via iMessage exploited Apple’s image rendering library and caused a crash of a system application leading to the installation of the Pegasus malware.
Pegasus is capable of reading text messages, emails, phone calls and user’s location, and can turn on a device’s cameras and microphones without warning or notification.
Apple has built their operating systems (OS) on the principles of a closed ecosystem, which is a concept that concerns some security experts. It’s designed in a way that compartmentalizes third-party applications and only allows those from the official App Store to be installed, which have been heavily vetted and scrutinized. Because of this design, the OS is well protected from those apps being malicious, but leaves limited room for additional or more sophisticated scanning or protection tools to better protect Apple devices from being compromised in other ways.
What does it mean for me?
While today, these attacks from the NSO Group are not a threat to most Apple users, as the group’s customers (who buy spyware like Pegasus) usually target high-profile individuals such as intelligence agents and reporters, the concern and the reason to be aware is these tools can be a template for attacks other cybercriminals will learn from and copy.
Small business professionals who use Apple devices in their office need to be aware that this is a critical vulnerability and an infection of this type could spread through your office network.
Anyone can send anyone else an iMessage; knowledge of the victim's phone number is enough to initiate an exploitation, which is a very low barrier for entry. Unlike malicious emails and phishing scams that are very often scanned and caught by email or internet service providers, iMessage’s end-to-end encryption prevents visibility of malicious content once it’s been infiltrated.
What should I do?
Apple acted quickly and fixed this specific vulnerability with a security patch, so you should update the software on all your devices immediately if you have not already done so. Every software update escalated in this manner from Apple, Microsoft or any vendor is a statement, so they should be taken seriously and installed immediately
Zero-click attacks like this one thrive on their ability to slip in and install software without the user needing to take any action. A simple way to protect yourself is to do most of your work computing from a secondary account with limited access or privileges. If malware does attempt to infiltrate your system and you’re on a limited account, it’ll be much harder because you’ll be prompted for an administrator’s password before any changes to your software can be made.
Of course, if you’re still worried about the increased vulnerability of Apple’s messaging platform, you can always deregister and turn off iMessage. Apple also allow iMessage users to block, filter, or report messages from unknown senders but those messages do still reach the device and it's unclear if filtering those senders blocks the attack code from executing.
What’s more concerning than the sophistication of this attack is the sheer number of mobile devices that are susceptible and the features that make them indispensable to us in the first place; they’re always on, always connected, and we use them for almost all of our communication especially as we work from home.
With the amount of sensitive data now available on and through mobile devices, we should all prioritize security on our smartphones and tablets the same way we do on our computers.