New zero-click iMessage Pegasus attack can blast right through iOS 14's security protections

[nanoguy]

In context: More than 180 journalists around the world have been targeted by various operators of the Pegasus spyware tool developed by Israeli firm NSO Group. New research reveals that despite the common perception that Apple devices are more secure, there are plenty of vulnerabilities that can be exploited through Pegasus even when running the latest software revision for your device.

Last year, it emerged that Facebook wanted to buy the infamous Pegasus spyware tool in 2017 with the explicit purpose to monitor iPhone and iPad users. Pegasus developer NSO Group refused to sell it for that purpose, as the firm is known for its strict policy of only licensing its tools to governments and government agencies for legitimate use cases pertaining to national security and law enforcement.

Fast forward to today, and a new report from Citizen Lab highlights just how effective Pegasus is even on devices running iOS 14. Security researchers found the tool facilitated a zero-click attack on the iPhones of nine Bahraini activists between June 2020 and February 2021.

(Countries where Pegasus has been used against journalists | Forbidden Stories)

The attack relied on two zero-click iMessage exploits -- meaning no interaction from the user is necessary for the exploits to succeed. One of the exploit chains is called KISMET and was discovered in 2020, while the other is a completely new one that is able to bypass Apple's Blastdoor protections, which is why Citizen Labs called it FORCEDENTRY.

Researchers found the attack was successful against iPhones running an up-to-date version of iOS, and that versions 14.4 and 14.6 are confirmed to be vulnerable to it. What isn't clear at this point is whether the security update in iOS 14.7.1 is meant to offer a fix for this particular exploit. Apple is aware of the issue, however, and the company will introduce more security protections in the upcoming iOS 15 release.

Citizen Lab notes with a "high degree of confidence" that four of the nine activists that were hacked have been targeted by the government of Bahrain, which is said to have been using Pegasus since 2017. One of the activists had previously been hacked with the same tool in 2019.

Permalink to story.

https://www.techspot.com/news/90923-new-zero-click-imessage-pegasus-attack-can-blast.html

 

[Shadowboxer]

The “common perception” that Apple is more secure than its competitors is not an inaccurate one. Their products are considerably more secure than any Android device. But nobody ever claimed Apple is 100% secure, they are still targeted, you can still be attacked.

 

[brucek]

I hadn't heard about Facebook trying to buy it in 2017. Which leads me to wonder, which is more likely to have occurred since then -- on being turned down, Facebook:

A. Gave up on getting this data
B. Found other companies providing the same capabilities
C. Invested internally to build up the same capabilities in-house

 

[Nobina]

That's just Apple sniffing through your data in search for illegal material.

 

[Hexic]

That's just Apple sniffing through your data in search for illegal material.

Those Paladins of privacy.

 

[DZillaXx]

The “common perception” that Apple is more secure than its competitors is not an inaccurate one. Their products are considerably more secure than any Android device. But nobody ever claimed Apple is 100% secure, they are still targeted, you can still be attacked.

That is highly debatable. iOS is no more secure than Android per say. Its just iOS has tighter restrictions on apps and what they can access. All these options and more are on Android and it is pretty easy to lock down your phone. Real issue is what apps are asking to access day one in the background with users not knowing any better to check settings and make sure permissions are set accordingly.

Android also has better access to end point protection software options integrating android devices better into a cooperate environment.

 

[Shadowboxer]

That is highly debatable. iOS is no more secure than Android per say. Its just iOS has tighter restrictions on apps and what they can access. All these options and more are on Android and it is pretty easy to lock down your phone. Real issue is what apps are asking to access day one in the background with users not knowing any better to check settings and make sure permissions are set accordingly.

Android also has better access to end point protection software options integrating android devices better into a cooperate environment.

Actually iOS is considerably more secure. The biggest factor of security is how up to date your OS is. And iPhones have the highest adoption rates for their latest operating systems.

Far more vulnerabilities remain unpatched on Android, making it more vulnerable overall. And it’s down to OEMs in some cases to cover security flaws and they can’t all be relied upon to do it.

 

[kiwigraeme]

Yea Nah - I'm still making $500 000 more for an FCP Zero Click on Android .

Good money to be made on Zerodium - helping Govt States protect themselves

Money & Karma for doing good


The smartest man in the world knew to keep his very old Sammy - in spite of the know it alls trying to get him to use something else

 

[DZillaXx]

Actually iOS is considerably more secure. The biggest factor of security is how up to date your OS is. And iPhones have the highest adoption rates for their latest operating systems.

Far more vulnerabilities remain unpatched on Android, making it more vulnerable overall. And it’s down to OEMs in some cases to cover security flaws and they can’t all be relied upon to do it.

Again, iPhones are not considerably more secure. That is just hogwash spoonfed to people via apple marketing. I do agree that iPhones are better kept up to date, and that can make a different in a small degree. But most attacks are done from within, so from something you install or click on.

Android tends not to rock the latest version of Linux Kernels, and Darwin Apple's Unix base tends to be behind linux in terms of lastest and greatest as well.

As a mobile user I'm more worried about the data leaving my phone than my phone getting compromised from an external source. If using cloud services, make sure to use twofactor auth. Don't trust sites that dont use HTTPS when you have any type of login, run a ad blocker if possible.


Android can be locked down much more than apple devices can, not as much as windows, but its capable and highly used in the medical and government fields.

 

[Uncle Al]

How does it do that? By disguising itself as a porn picture of some kind ..... sounds a bit like Apple Suicide .....

 

[Shadowboxer]

How does it do that? By disguising itself as a porn picture of some kind ..... sounds a bit like Apple Suicide .....

It’s just a single link. Once you’ve clicked on it it will install yourself and the user is no longer required. It’s quite nasty but if you don’t click on suspicious links you will be fine if you have an iPhone.

There are more ways to get into an Android device. Particularly be weary of notifications asking you to update anything, always update apps through the play store.

 

[DZillaXx]

I’ve blocked you by the way. Anyone who claims Android is just as secure as iOS is laughably misinformed. Reading your comments tells me that you emphatically do not have a clue what you are talking about and Im not wasting my time on *****s on the internet. Go, please click on every foreign link. Side load apps, keep the same Android hardware for more than 2 years. Youl be wide open and apparently clueless to it.

Don’t bother replying to this comment either, it will not reach me.

lol... Okay.. Lets all make claims with nothing to back it up!

I guess everyone who uses windows has a computer full of malware... Super unsecure. Anything not apple must be dangerous to use people!!!

Security in any regard mostly deals on how a device is used and configured.

Just like how you can lock down a IoT device with firewall rules and a private network w/ vlans. The Device is still not secure, but you secure it via other means.

Saying Android can't be secure is just a downright lie only told by misinformed sheep.

 

[Hexic]

Aside from the constant iFans and anti-Apple crowd - this article spells out quite well the differences, pertaining to security, user choice, OS updates, etc:

The key point most Android vs. iOS arguments miss

People (and, ahem, companies) comparing Android to iOS keep making the same silly mistake. Don't let yourself fall for it.

www.computerworld.com

Android users can’t fathom being in the iSandbox that only the iGods give you permission to change your own phone background - when in all reality it’s a clean environment that still performs well, albeit with significant functionality limitations that iPhone users love to deny are an issue at all.

iPhone users on the other hand, view Android as a buggy, insecure mess of an OS that works well for ~1 year and then craps out due to EOL support, and bad UX. The current reality is, it’s also a clean environment that performs significantly better than the general iConsensus claims, has consistent updates for almost all major brands, with significantly fewer training wheels and performs better for longer than the 2014 rose-tinted glasses version of Android used to be.

I currently use the latest generation of both the iPhone and Android. Current day, from my flagship Samsung to my 12 Max Pro… No one is ahead in this race, it is all based upon user preference. There is not a large enough security threat anymore to not use an Android, and Apple is very slowly getting better at adding meaningful functionality to their platform. Use what you want, This isn’t seven years ago, both OSs are fantastic.

 

[Markoni35]

It's the Israelis again, of course. They design chips used in smart devices, PCs, airplanes, cars, etc. They design low-level drivers, and OS communication modules. They design "security" protocols by leaving backdoors everywhere. Is it then a miracle they can hack everything?

Oh, BTW, they've also designed Intel CPUs.

In case someone is wondering why Intel CPUs have so many security holes...