News

Just Looking at That Message Could Compromise Your Device

This cute photo can be more than a picture

main results

  • By analyzing the spying scandal uncovered by Citizen Lab, Google security researchers discovered a new attack mechanism known as the zero-click exploit.
  • Traditional security tools such as antivirus cannot prevent exploits with zero clicks.
  • Apple has stopped one, but researchers fear there will be more zero-click exploits in the future.

Screen Post / Unspalsh.com

Following security best practices is considered a prudent course of action to keep devices like laptops and smartphones safe, or that was until researchers discovered a new trick that was virtually undetectable.

By examining Apple’s recently-fixed bug used to install Pegasus spyware on specific targets, security researchers at Google’s Project Zero discovered an innovative attack mechanism they call “zero-click exploits” that no mobile antivirus can block.

“In addition to not using a device, there is no way to avoid exploits through ‘zero-click exploits’; This is a weapon without a defense,” Google Project Zero engineers Ian Beer and Samuel Groß wrote in a blog post.

Frankenstein’s monster

Pegasus spyware is the brainchild of NSO Group, an Israeli technology company that has now been added to the US “Entity List” and essentially blocks it from the US market.

“It’s unclear what a plausible explanation for privacy is on a cell phone, where we often make highly personal calls in public places. We certainly don’t expect anyone to tap our phone, even though Pegasus allows people to do it,” Saryu Nayyar, CEO of cybersecurity firm Gurucul, told Lifewire in an email.

“As end users, we must always be careful when opening messages from unknown or unreliable sources, no matter how compelling the subject or message…”

Pegasus spyware came to the fore in July 2021 when Amnesty International announced that it was used to spy on journalists and human rights activists around the world.

This was followed by a statement by researchers at Citizen Lab in August 2021 after they found evidence of surveillance on the iPhone 12 Pro of nine Bahraini activists via an exploit that circumvented the latest security protections in iOS 14, known collectively as BlastDoor.

In fact, Apple sued the NSO Group, holding it responsible for circumventing the iPhone’s security mechanisms to spy on Apple users via Pegasus spyware.

“State-sponsored actors like the NSO Group are spending millions of dollars on advanced surveillance technologies without effective accountability. Craig Federighi, Apple’s Senior Vice President of Software Engineering, said in a press release about the process that this needs to change.

In a two-part Google Project Zero post, Beer and Groß explained how NSO Group deployed Pegasus spyware on targets’ iPhones using what they described as incredible and terrifying, the zero-click attack mechanism.

The zero-click exploit is exactly what it sounds like – victims don’t have to click or tap anything to be compromised. Instead, simply viewing an email or message with the malware attached will install them on the device.

Close-up of messages on smartphone.

Jamie Street / Unsplash.com

impressive and dangerous

According to researchers, the attack begins with a treacherous message in the iMessage app. To help us crack the very complex attack methodology developed by hackers, Lifewire enlisted the help of independent security researcher Devanand Premkumar.

Premkumar explained that iMessage has several built-in mechanisms for handling animated .gif files. One of these methods checks for specific file format using a library called ImageIO. The hackers used a “gif trick” to exploit a weakness called CoreGraphics in the core support library to gain access to the targeted iPhone.

Advising Lifewire, Premkumar said, “As end users, we must always be careful when opening messages from unknown or untrusted sources, no matter how compelling the subject or message, as this is used as the main entry point into the cell phone.” an e-mail.

Premkumar added that the current attack mechanism only works on iPhones and is examining the steps Apple has taken to eliminate the current vulnerability. But as the current attack dwindled, the attack mechanism opened Pandora’s box.

Close the app page on a red iPhone showing a large number on the email badge.

Sara Kurfeo / Unsplash

“Zero-click vulnerabilities are not going away anytime soon. “There will be more zero-click exploits being tested and deployed against high-profile targets for sensitive and valuable data that can be extracted from the mobile phones of these exploited users,” Premkumar said. Said.

Meanwhile, Apple has decided to provide free technical assistance, threat intelligence, and engineering to Citizen Lab researchers, in addition to the lawsuit filed against NSO, and has promised to offer the same assistance to other organizations doing critical work in the field.

In addition, the company even contributed $10 million in addition to all damages awarded in the lawsuit to support organizations involved in the defense and investigation of cyber surveillance breaches.


See more

Just Looking at That Message Could Compromise Your Device

That cute picture might be more than an image

Key Takeaways
Analyzing the spying scandal uncovered by Citizen Lab, Google security researchers have discovered a novel attack mechanism known as a zero-click exploit.
Traditional security tools like antivirus cannot prevent zero-click exploits.
Apple has stopped one, but researchers fear there will be more zero-click exploits in the future.
Screen Post / Unspalsh.com

Following security best practices is considered a prudent course of action for keeping devices like laptops and smartphones safe, or it was until researchers discovered a new trick that is virtually undetectable.

As they dissect the recently patched Apple bug that was used to install the Pegasus spyware on specific targets, security researchers from Google’s Project Zero have discovered an innovative new attack mechanism they’ve dubbed a “zero-click exploit,” that no mobile antivirus can foil. 

“Short of not using a device, there is no way to prevent exploitation by a ‘zero-click exploit;’ it’s a weapon against which there is no defense,” claimed Google Project Zero engineers Ian Beer & Samuel Groß in a blog post.  

Frankenstein’s Monster

The Pegasus spyware is the brainchild of the NSO Group, an Israeli technology firm that has now been added to the US “Entity List,” which essentially blocklists it from the US market.

“It’s not clear what a reasonable explanation of privacy is on a cell phone, where we often make highly personal calls in public places.  But we certainly don’t expect someone to listen in on our phone, though that’s what Pegasus enables people to do,” explained Saryu Nayyar, CEO of cybersecurity company Gurucul, in an email to Lifewire.

“As end-users, we should always be cautious about opening messages from unknown or untrusted sources, no matter how enticing the subject or message be…”

The Pegasus spyware came into the limelight in July 2021, when Amnesty International revealed that it was used to spy on journalists and human rights activists worldwide. 

This was followed by a revelation from researchers at Citizen Lab in August 2021, after they found evidence of surveillance on iPhone 12 Pro’s of nine Bahraini activists through an exploit that evaded the latest security protections in iOS 14 collectively known as BlastDoor.

In fact, Apple has filed a lawsuit against the NSO Group, holding it accountable for circumventing iPhone security mechanisms to surveil Apple users via its Pegasus spyware.

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering, in the press release about the lawsuit.

In the two-part Google Project Zero post, Beer and Groß explained how the NSO Group got the Pegasus spyware onto the iPhones of the targets using the zero-click attack mechanism, which they described as both incredible and terrifying.

A zero-click exploit is exactly what it sounds like—the victims don’t need to click or tap anything to be compromised. Instead, simply viewing an email or message with the offending malware attached allows it to install on the device.

Jamie Street / Unsplash.com
Impressive and Dangerous

According to the researchers, the attack begins through a nefarious message on the iMessage app. To help us break down the rather complex attack methodology devised by the hackers, Lifewire enlisted the help of independent security researcher Devanand Premkumar.

Premkumar explained that iMessage has several in-built mechanisms to handle animated .gif files. One of these methods checks the specific file format using a library named ImageIO. The hackers used a ‘gif trick’ to exploit a weakness in the underlying support library, called CoreGraphics, to gain access to the target iPhone. 

“As end-users, we should always be cautious about opening messages from unknown or untrusted sources, no matter how enticing the subject or message be, as that is being used as the primary entry point into the mobile phone,” Premkumar advised Lifewire in an email.  

Premkumar added that the current attack mechanism is only known to work on iPhones as he ran through the steps Apple has taken to defang the current vulnerability. But while the current attack has been curtailed, the attack mechanism has opened Pandora’s box.

Sara Kurfeß / Unsplash

“Zero-click exploits are not going to die anytime soon. There will be more and more of such zero-click exploits tested and deployed against high profile targets for the sensitive and valuable data which can be extracted from such exploited users’ mobile phones,” said Premkumar. 

Meanwhile, in addition to the lawsuit against NSO, Apple has decided to provide technical, threat intelligence, and engineering assistance to the Citizen Lab researchers pro-bono and has promised to offer the same assistance to other organizations doing critical work in this space. 

Additionally, the company has gone to the extent of contributing $10 million, as well as all the damages awarded from the lawsuit to support organizations involved in the advocacy and research of cyber-surveillance abuses.

#Message #Compromise #Device


Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *

Back to top button