Researchers from Citizen Lab, an academic research and development lab based in the University of Toronto in Canada, has recently discovered that an exploit affecting iMessage is being used to target Bahraini activists with the Pegasus spyware. The Bahrain government and groups linked to them—such as LULU, a known operator of Pegasus, and others like them who are associated with a separate government—were tagged as culprits of the surveillance activity.
Dubbed by Citizen Lab as FORCEDENTRY, this iMessage exploit is said to have been in use since February 2021. For an entity to get inside someone’s iPhone using FORCEENTRY to exploit an iMessage vulnerability, there is no need to come up with social engineering tactics to get their target to do an action, which is, usually, to click something. The attackers just deploy the exploit. No need for the target to click something. This is what we mean when we refer to some attacks as “zero-click”.
FORCEDENTRY is Megalodon
FORCEDENTRY and Megalodon—the name given to iMessage exploit activity witnessed by Amnesty International's research arm Amnesty Tech in July 2021—are one and the same.
When FORCEENTRY is fired at a device, it crashes IMTranscoderAgent, a service the device uses to transcode and preview images in iMessage. According to The Hacker News, this is FORCEDENTRY’s way of getting around Apple’s BlastDoor security feature, which was designed to protect against attacks, including those from the KISMET exploit. Once this agent crashes, the exploit can then download and render items, likely images, from the Pegasus server.
“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” the researchers claim in the Citizen Lab report.
FORCEDENTRY has been observed targeting and deploying Pegasus against Bahraini activists, members, and writers belonging to Waad (a political society), Bahrain Center for Human Rights (a Bahraini NGO), and Al Wefaq (cited as “Bahrain’s largest opposition political society”).
KISMET: the other exploit
FORCEENTRY is actually the second known exploit to be used to target journalists using an iMessage vulnerability. In 2020, Citizen Lab named KISMET, a then 0-day exploit against iPhone iOS version 13.5.1 and above. It could also hack the iPhone 11, the latest model of that time. This made iPhone devices that were available before the release of iOS 14 vulnerable and exploitable.
No real protection in sight?
As of this writing, researchers at Citizen Lab believed that the KISMET and FORCEDENTRY exploits might have been prevented by users disabling iMessage and FaceTime. However, disabling these two cannot fully protect users from any spyware or zero-click attacks, the researchers said. Disabling iMessage also means that your once-encrypted message could be easily intercepted by attackers.
There are also other text and video messaging apps iPhone users can use in place of iMessage and FaceTime should they choose to disable them. Some of these are open-source, such as Signal.