Apple released Security updates for a newly discovered zero-day vulnerability that affects all iPhone, iPad, Mac, and Apple Watch. Citizen Lab, which discovered the vulnerability and was credited with the discovery, urges users to update their devices immediately.
The tech giant said iOS 14.8 for iPhones and iPads, along with new updates for Apple Watch and macOS, would fix at least one vulnerability it said “may have been actively exploited.”
Citizen Lab said it discovered new artifacts of the ForcedEntry vulnerability, details it first revealed in August as part of an investigation into the use of a zero-day vulnerability that was used to silently hack into iPhones owned by at least one Bahraini activist.
Last month, Citizen Lab said the zero-day vulnerability – named after it gives companies zero days to deploy a patch – took advantage of a flaw in Apple’s iMessage, which was exploited to push Pegasus spyware, developed by Israeli company NSO Group, on the activist’s phone. Pegasus gives its government clients nearly complete access to a target’s device, including their personal data, photos, messages, and location.
The breach was significant because the flaws exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May. But the vulnerabilities also pierced Apple’s new iPhone defenses with iOS 14, dubbed BlastDoor, which were supposed to prevent silent attacks by filtering out potentially malicious code. Citizen Lab calls this particular exploit ForcedEntry for its ability to bypass Apple’s BlastDoor protections.
In its latest findings, Citizen Lab said it found evidence of the ForcedEntry exploit on the iPhone of a Saudi activist, running the latest version of iOS at the time. The researchers said the exploit takes advantage of a weakness in the way Apple devices display images on the screen. Citizen Lab now says the same ForcedEntry exploit works on all Apple devices running the latest software until today.
Citizen Lab said it communicated its findings to Apple on September 7. Apple has released updates to the vulnerability, officially known as CVE-2021-30860. Citizen Lab said he attributed the ForcedEntry exploit to the NSO Group with great confidence, citing evidence he saw that he had not yet published.
Citizen Lab researcher John Scott-Railton told TechCrunch that messaging apps, like iMessage, are increasingly the target of nation-state hacking operations and this latest finding underscores the challenges of securing them.
When reached, Apple declined to comment. NSO Group did not immediately comment.