New One-Click Exploit Bypasses Apple’s BlastDoor iMessage Safety Measures

BY Rajesh Pandey

Published 24 Aug 2021

iMessage for iPhone

Citizen Labs researchers have found that the iPhones of nine Bahraini activists were hacked using NSO’s Pegasus iPhone spyware between June 2020 and February 2021. Citizen Labs believes the Bahrain government is behind these hacks.

Almost all the hacks took place between July 2020 and February of this year, with a couple of hacks happening in 2019. The targets primarily include activists and NGOs for Human Rights in Bahrain that oppose the government’s oppressive moves.

One of the activists whose iPhone was hacked used an iPhone 12 Pro. It was hacked in February this year using a zero-click attack that took advantage of an iMessage vulnerability to install NSO’s Pegasus spyware. More importantly, the zero-click attack worked on both iOS 14.4 and iOS 14.6. It can also circumvent the BlastDoor security feature from Apple that’s meant to prevent such hacks by filtering all malicious data sent over iMessage.

Starting in February 2021, we began to observe NSO Group deploying a new zero-click iMessage exploit that circumvented Apple’s BlastDoor feature. We refer to the exploit as FORCEDENTRY, because of its ability to circumvent BlastDoor.

When the FORCEDENTRY exploit was being fired at a device, the device logs showed crashes associated with IMTranscoderAgent. The crashes appeared to be segfaults generated by invoking the copyGifFromPath:toDestinationPath:error function on files received via iMessage.

The crashes appeared to be of two types. Type one crashes indicate that the chain of events set off by invoking copyGifFromPath:toDestinationPath:error ultimately crashed while apparently invoking ImageIO’s functionality for rendering Adobe Photoshop PSD data.

Apple did not confirm whether it has fixed the FORCEDENTRY exploit or not. It only issued a statement to TechCrunch saying such exploits are unlikely to affect general users and are only meant to target specific individuals.

“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place … Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Apple also confirmed that it has further beefed up its security measures for iMessage in iOS 15 to prevent such attacks.

The entire article from Citizen Lab is worth a read and goes in-depth into how the exploit works.