Pegasus leak patched by Apple
Apple released security updates for iOS, iPadOS, macOS and watchOS quite unexpectedly on Monday evening. In the update description, Apple speaks of the usual security improvements, without mentioning the terms Pegasus or Blastdoor. But they appear to have been addressed. This is a vulnerability that was actively used by the Pegasus spyware of the Israeli company NSO. This allowed remote access to iPhones and other Apple products without the owner having to click a link.
The zero-day was discovered by Citizen Lab, which has been researching Pegasus for some time. They discovered it was being used on an activist's iPhone and named it ForcedEntry because it breaks Apple's brand new Blastdoor security. According to Citizen Lab, it has been abused since February, and possibly earlier.
Pegasus is spyware from the Israeli company NSO Group, which is sold to governments to spy on terrorists, as well as journalists and activists. Most countries are located in the Middle East, but Germany also appears to have deployed the Pegasus spyware. ForcedEntry was discovered in August by Citizen Lab, but other vulnerabilities have previously made it possible to install Pegasus spyware. This affected nine activists from Bahrain in 2020.
In iOS 14.8, iPadOS 14.8, watchOS 7.6.2, and macOS 11.6, Apple has now fixed this vulnerability. There was also a Safari update (14.1.2) and a security update for macOS Catalina, for people who are still on older versions of the operating system. ForcedEntry is registered in the National Vulnerability Database under code CVE-2021-30860 called CoreGraphics. Additionally, a WebKit vulnerability called CVE-2021-30858 has been fixed.
Citizen Lab has now released a new report with more details about the vulnerabilities. This shows that you should update your devices as soon as possible, especially if you belong to an interesting target group and, for example, you are committed to human rights in countries with dubious regimes. iMazing software allows you to detect Pegasus on your device.
Apple itself has also made a statement. Ivan Krsti', head of Apple Security Engineering and Architecture, praises Citizen Lab's efforts:
After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We'd like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.
With the release of iOS 14.8, Pegasus has not been permanently silenced. NSO will continue to look for vulnerabilities that can be reused to install the spyware on devices.