Researchers identified a so-called “zero-click” exploit affecting Apple’s iMessage messaging service. Apple has released security updates for all it’s devices.
The previously-unidentified vulnerability named “FORCEDENTRY” by the University of Toronto Citizen Lab researchers, takes advantage of the way iMessage renders images to skirt the built-in security systems of Apple’s latest operating systems.
The Israeli company NSO’s Pegasus spyware has been named as being responsible for this vulnerability. Once installed, Pegasus allows NSO’s clients to take control of a device, to activate the camera and the microphone, see geolocation data and read the content of messages.
The devices affected include all iPhones with iOS versions prior to 14.8, All Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watch OS 7.6.2.
Ivan Krstić, the head of Apple Security Engineering and Architecture for Apple said in a statement:
After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users,” Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals”.
“While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data,” he added.