FORCEDENTRY

Last updated
FORCEDENTRY
CVE identifier(s)
  • CVE- 2021-30860
  • CVE- 2021-30858
Date patchedSeptember 2021 [1]
DiscovererBill Marczak from Citizen Lab [1]
Affected software

FORCEDENTRY, also capitalized as ForcedEntry, is a security exploit allegedly developed by NSO Group to deploy their Pegasus spyware. [2] [3] It enables the "zero-click" exploit that is prevalent in iOS 13 and below, but also compromises recent safeguards set by Apple's "BlastDoor" in iOS 14 and later. In September 2021, Apple released new versions of its operating systems for multiple device families containing a fix for the vulnerability. [1] [4]

Contents

Exploit

The exploit was discovered by Citizen Lab, [2] who reported that the vulnerability has been used to target political dissidents and human rights activists. [5] FORCEDENTRY appears to be the same as the attack previously detected and named "Megalodon" by Amnesty International. [6]

The exploit uses PDF files disguised as GIF files to inject JBIG2-encoded data to provoke an integer overflow [7] [8] in Apple's CoreGraphics system, circumventing Apple's "BlastDoor" sandbox for message content. BlastDoor was introduced as part of iOS 14 to defend against KISMET, another zero-click exploit. [2] [9] [10] The FORCEDENTRY exploit has been given the CVE identifier CVE-2021-30860. [8] In December 2021, Google's Project Zero team published a technical breakdown of the exploit based on its collaboration with Apple’s Security Engineering and Architecture (SEAR) group. [11] [12]

The exploit was described by Project Zero team:

JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent. The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying. [11]

According to Citizen Lab, the FORCEDENTRY vulnerability exists in iOS versions prior to 14.8, macOS versions prior to macOS Big Sur 11.6 and Security Update 2021-005 Catalina, and watchOS versions prior to 7.6.2. [9]

Apple lawsuit

In November 2021, Apple Inc. filed a complaint against NSO Group and its parent company Q Cyber Technologies in the United States District Court for the Northern District of California in relation to FORCEDENTRY, requesting injunctive relief, compensatory damages, punitive damages, and disgorgement of profits [13] [14] [15] but in 2024 asked the court to dismiss the lawsuit [16] [17] .

See also

Related Research Articles

An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.

<span class="mw-page-title-main">Citizen Lab</span> Digital research center at the University of Toronto

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. It was founded by Ronald Deibert in 2001. The laboratory studies information controls that impact the openness and security of the Internet and that pose threats to human rights. The organization uses a "mixed methods" approach which combines computer-generated interrogation, data mining, and analysis with intensive field research, qualitative social science, and legal and policy analysis methods. The organization has played a major role in providing technical support to journalists investigating the use of NSO Group's Pegasus spyware on journalists, politicians and human rights advocates.

<span class="mw-page-title-main">Ayman Nour</span> Egyptian politician

Ayman Abd El Aziz Nour is an Egyptian politician, a former member of the Egyptian Parliament, founder and chairman of the El Ghad party.

<span class="mw-page-title-main">Xpdf</span> Open source PDF viewer software

Xpdf is a free and open-source PDF viewer and toolkit based on the Qt framework. Versions prior to 4.00 were written for the X Window System and Motif.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

JBIG2 is an image compression standard for bi-level images, developed by the Joint Bi-level Image Experts Group. It is suitable for both lossless and lossy compression. According to a press release from the Group, in its lossless mode JBIG2 typically generates files 3–5 times smaller than Fax Group 4 and 2–4 times smaller than JBIG, the previous bi-level compression standard released by the Group. JBIG2 was published in 2000 as the international standard ITU T.88, and in 2001 as ISO/IEC 14492.

A zero-day is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor has zero days to prepare a patch as the vulnerability has already been described or exploited.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in March 2024. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

<span class="mw-page-title-main">JailbreakMe</span> Series of iOS jailbreaks

JailbreakMe is a series of jailbreaks for Apple's iOS mobile operating system that took advantage of flaws in the Safari browser on the device, providing an immediate one-step jailbreak, unlike more common jailbreaks, such as Blackra1n and redsn0w, that require plugging the device into a computer and running the jailbreaking software from the desktop. JailbreakMe included Cydia, a package management interface that serves as an alternative to the App Store. Although it does not support modern devices, the websites remain available for compatible devices.

watchOS Apple Watch operating system

watchOS is the operating system of the Apple Watch, developed by Apple Inc. It is based on iOS, the operating system used by the iPhone, and has many similar features. It was released on April 24, 2015, along with the Apple Watch, the only device that runs watchOS. watchOS exposes an API called WatchKit for developer use.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

<span class="mw-page-title-main">NSO Group</span> Israeli cyber-espionage and malware firm

NSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click surveillance of smartphones. It employed almost 500 people as of 2017.

Pegasus is a spyware developed by the Israeli cyber-arms company NSO Group that is designed to be covertly and remotely installed on mobile phones running iOS and Android. While NSO Group markets Pegasus as a product for fighting crime and terrorism, governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists. The sale of Pegasus licenses to foreign governments must be approved by the Israeli Ministry of Defense.

The Pegasus Project is an international investigative journalism initiative that revealed governments' espionage on journalists, opposition politicians, activists, business people and others using the private Pegasus spyware developed by the Israeli technology and cyber-arms company NSO Group. Pegasus is ostensibly marketed for surveillance of "serious crimes and terrorism". In 2020, a target list of 50,000 phone numbers leaked to Forbidden Stories, and an analysis revealed the list contained the numbers of leading opposition politicians, human rights activists, journalists, lawyers and other political dissidents.

Candiru is a private Tel Aviv-based company founded in 2014 which provides spyware and cyber-espionage services to government clients. Its management and investors overlap significantly with that of NSO Group. Its operations began being uncovered in 2019 by researchers at CitizenLab, Kaspersky, ESET. Microsoft refers to the company's cyber-espionage operations as "Caramel Tsunami/SOURGUM" while Kaspersky refers to it as "SandCat"

Quadream was an Israeli surveillance technology company. It prominently sold iPhone hacking tools, and was founded in 2014 by a group including two former NSO Group employees, Guy Geva, and Nimrod Reznik. Its offices were in Ramat Gan. The company is suspected to have shut down in April 2023. It is owned by a parent company in Cyprus.

CatalanGate is a 2022 political scandal involving accusations of espionage using the NSO Group's Pegasus spyware, against figures of the Catalan independence movement. Targets of the supposed espionage included elected officials, activists, lawyers, and computer scientists; in some cases, families of the main targets were also purportedly targeted.

Hermit is spyware developed by the Italian commercial spyware vendor RCS Lab that can be covertly installed on mobile phones running iOS and Android. The use of the software was publicized by Google's Threat Analysis Group (TAG) on June 23, 2022, and previously disclosed by the security research group Lookout.

Tamer Almisshal is a Palestinian journalist who works at Al Jazeera, and is the host of The Hidden is More Immense.

<span class="mw-page-title-main">Cytrox</span> Spyware company

Cytrox is a company established in 2017 that makes malware used for cyberattacks and covert surveillance. Its Predator spyware was used to target Egyptian politician Ayman Nour in 2021 and to spy on 92 phones belonging to businessmen, journalists, politicians, government ministers and their associates in Greece. In 2023, the U.S. Department of Commerce added the Cytrox companies Cytrox AD in North Macedonia, and Cytrox Holdings Crt in Hungary to its Entity List and on March 5, 2024, the U.S. Department of Treasury imposed sanctions upon Cytrox AD of North Macedonia and the Intellexa Consortium, which is the parent firm of Cytrox AD, "for trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide."

References

  1. 1 2 3 "Israeli spyware firm targeted Apple devices via iMessage, researchers say". the Guardian. 2021-09-13. Retrieved 2021-09-13.
  2. 1 2 3 "Apple fixes iOS zero-day used to deploy NSO iPhone spyware". BleepingComputer. Retrieved 2021-09-14.
  3. "Apple patches ForcedEntry vulnerability used by spyware firm NSO". ComputerWeekly.com. Retrieved 2021-09-14.
  4. "Apple products vulnerable to FORCEDENTRY zero-day attack – patch now!". Naked Security. 2021-09-14. Retrieved 2021-09-14.
  5. Marczak, Bill; Abdulemam, Ali; Al-Jizawi, Noura; Anstis, Siena; Berdan, Kristin; Scott-Railton, John; Deibert, Ron (24 August 2021). "Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits". Citizenlab. Retrieved 24 August 2021.
  6. "Bahrain targets activists with NSO's Pegasus spyware". IT PRO. 24 August 2021. Retrieved 2021-09-15.
  7. Claburn, Thomas. "Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware". www.theregister.com. Retrieved 2021-09-15.
  8. 1 2 "About the security content of macOS Big Sur 11.6". Apple Support. Retrieved 2021-09-14.
  9. 1 2 Marczak, Bill; Scott-Railton, John; Razzak, Bahr Abdul; Al-Jizawi, Noura; Anstis, Siena; Berdan, Kristin; Deibert, Ron (2021-09-13). "FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild". The Citizen Lab. Retrieved 2021-09-13.
  10. "New iOS Zero-Click Exploit Defeats Apple 'BlastDoor' Sandbox". www.securityweek.com. 24 August 2021. Retrieved 2021-09-14.
  11. 1 2 Beer, Ian; Groß, Samuel (2021-12-15). "Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution". Google Project Zero . Retrieved 2021-12-16.
  12. "Google Project Zero Goes Deep on FORCEDENTRY Exploit Used by NSO Group". 15 December 2021.
  13. Kirchgaessner, Stephanie (2021-11-23). "Apple sues Israeli spyware firm NSO Group for surveillance of users". the Guardian. Retrieved 2021-11-23.
  14. "Apple sues NSO Group to curb the abuse of state-sponsored spyware". Apple Newsroom. 2021-11-23. Retrieved 2021-11-23.
  15. "APPLE INC., v. NSO GROUP TECHNOLOGIES LIMITED, and Q CYBER TECHNOLOGIES LIMITED" (PDF). Retrieved 2021-11-23.
  16. "Apple seeks to drop its lawsuit against Israeli spyware pioneer NSO".
  17. "Israel tried to frustrate US lawsuit over Pegasus spyware, leak suggests".
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.