Home / About / Threat Intelligence / Zero-Click iPhone Exploit (FORCEDENTRY)

Overview

Researchers at the University of Toronto’s Citizen Lab have identified an exploit for recent versions of iOS which has been used by surveillance tech companies to break into iPhones. The exploit uses a technique to circumvent the recently added BLASTDOOR feature which filters incoming message data and is supposed to make attacks like this more difficult.

Impact

An attacker could compromise an iPhone by sending a text message to it. The recipient would not need to click or view the message for the exploit to be effective.

Vulnerability Detection

There is currently no mechanism by which an iPhone user can identify if they have been affected in isolation. Potentially affected devices need to be professionally examined in order to determine if the device has been compromised, however, all devices listed under Affected Products do carry the vulnerability.

Affected Products

Apple would not confirm that the most recent patch fixes this issue. It is therefore likely that the exploit is still functional in the most recent version of iOS (14.7.1).

Containment, Mitigations & Remediations

Citizen Lab believes that this attack could be prevented by disabling iMessage and FaceTime. However, this would mean that texts sent using the built-in Messages app would be unencrypted. Other 3rd party applications which offer end-to-end encryption could be used in place of iMessage or FaceTime, however, these may carry their own risks and should be chosen at the user’s discretion.

Indicators of Compromise

There are currently no IoCs that can be actively monitored for on a device.

Threat Landscape

The exploit has been developed by the NSO Group, an Israeli based Surveillance company that came to prominence recently following the disclosure of lists of telephone numbers being targeted by the organisation and their clients. It is however likely that, given the disclosure of the exploit, others will seek to reverse engineer or independently identify the vulnerability in order to use it for their own means.

Mitre Methodologies

T1477 – Exploit via Radio Interfaces
S0289 – Pegasus for iOS

Further Information

From Pearl to Pegasus (Citizen Lab)
Project Zero Google – A Look at iMessage in iOS 14