FORCEDENTRY

Computer security exploit

For Forcible entry, see forced entry.

FORCEDENTRY
CVE identifier(s)	CVE-2021-30860 CVE-2021-30858
Date patched	September 2021^[1]
Discoverer	Bill Marczak from Citizen Lab ^[1]
Affected software	Apple CoreGraphics (Quartz) iOS (prior to v14.8) macOS (prior to macOS Big Sur 11.6, Security Update 2021-005 Catalina) watchOS (prior to v7.6.2)

FORCEDENTRY, also capitalized as ForcedEntry, is a security exploit allegedly developed by NSO Group to deploy their Pegasus spyware.^[2]^[3] It enables the "zero-click" exploit that is prevalent in iOS 13 and below, but also compromises recent safeguards set by Apple's "BlastDoor" in iOS 14 and later. In September 2021, Apple released new versions of its operating systems for multiple device families containing a fix for the vulnerability.^[1]^[4]

Exploit

[edit ]

The exploit was discovered by Citizen Lab,^[2] who reported that the vulnerability has been used to target political dissidents and human rights activists.^[5] FORCEDENTRY appears to be the same as the attack previously detected and named "Megalodon" by Amnesty International.^[6]

The exploit uses PDF files disguised as GIF files to inject JBIG2-encoded data to provoke an integer overflow ^[7]^[8] in Apple's CoreGraphics system, circumventing Apple's "BlastDoor" sandbox for message content. BlastDoor was introduced as part of iOS 14 to defend against KISMET, another zero-click exploit.^[2]^[9]^[10] The FORCEDENTRY exploit has been given the CVE identifier CVE-2021-30860.^[8] In December 2021, Google's Project Zero team published a technical breakdown of the exploit based on its collaboration with Apple’s Security Engineering and Architecture (SEAR) group.^[11]^[12]

The exploit was described by Project Zero team:

JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent. The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying.^[11]

According to Citizen Lab, the FORCEDENTRY vulnerability exists in iOS versions prior to 14.8, macOS versions prior to macOS Big Sur 11.6 and Security Update 2021-005 Catalina, and watchOS versions prior to 7.6.2.^[9]

Apple lawsuit

[edit ]

In November 2021, Apple Inc. filed a complaint against NSO Group and its parent company Q Cyber Technologies in the United States District Court for the Northern District of California in relation to FORCEDENTRY, requesting injunctive relief, compensatory damages, punitive damages, and disgorgement of profits^[13]^[14]^[15] but in 2024 asked the court to dismiss the lawsuit^[16]^[17].

References

[edit ]

^ ^a ^b ^c "Israeli spyware firm targeted Apple devices via iMessage, researchers say". the Guardian. 2021年09月13日. Retrieved 2021年09月13日.
^ ^a ^b ^c "Apple fixes iOS zero-day used to deploy NSO iPhone spyware". BleepingComputer. Retrieved 2021年09月14日.
^ "Apple patches ForcedEntry vulnerability used by spyware firm NSO". ComputerWeekly.com. Retrieved 2021年09月14日.
^ "Apple products vulnerable to FORCEDENTRY zero-day attack – patch now!". Naked Security. 2021年09月14日. Retrieved 2021年09月14日.
^ Marczak, Bill; Abdulemam, Ali; Al-Jizawi, Noura; Anstis, Siena; Berdan, Kristin; Scott-Railton, John; Deibert, Ron (24 August 2021). "Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits". Citizenlab. Retrieved 24 August 2021.
^ "Bahrain targets activists with NSO's Pegasus spyware". IT PRO. 24 August 2021. Retrieved 2021年09月15日.
^ Claburn, Thomas. "Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware". www.theregister.com. Retrieved 2021年09月15日.
^ ^a ^b "About the security content of macOS Big Sur 11.6". Apple Support. Retrieved 2021年09月14日.
^ ^a ^b Marczak, Bill; Scott-Railton, John; Razzak, Bahr Abdul; Al-Jizawi, Noura; Anstis, Siena; Berdan, Kristin; Deibert, Ron (2021年09月13日). "FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild". The Citizen Lab. Retrieved 2021年09月13日.
^ "New iOS Zero-Click Exploit Defeats Apple 'BlastDoor' Sandbox". www.securityweek.com. 24 August 2021. Retrieved 2021年09月14日.
^ ^a ^b Beer, Ian; Groß, Samuel (2021年12月15日). "Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution". Google Project Zero . Retrieved 2021年12月16日.
^ "Google Project Zero Goes Deep on FORCEDENTRY Exploit Used by NSO Group". 15 December 2021.
^ Kirchgaessner, Stephanie (2021年11月23日). "Apple sues Israeli spyware firm NSO Group for surveillance of users". the Guardian. Retrieved 2021年11月23日.
^ "Apple sues NSO Group to curb the abuse of state-sponsored spyware". Apple Newsroom. 2021年11月23日. Retrieved 2021年11月23日.
^ "APPLE INC., v. NSO GROUP TECHNOLOGIES LIMITED, and Q CYBER TECHNOLOGIES LIMITED" (PDF). Retrieved 2021年11月23日.
^ "Apple seeks to drop its lawsuit against Israeli spyware pioneer NSO".
^ "Israel tried to frustrate US lawsuit over Pegasus spyware, leak suggests".

v
t
e

Hacking in the 2020s

← 2010s Timeline 2030s →

Major incidents

2020	BlueLeaks Twitter account hijacking European Medicines Agency data breach Nintendo data leak United States federal government data breach EasyJet data breach Vastaamo data breach
2021	Microsoft Exchange Server breach Ivanti Pulse Connect Secure data breach Colonial Pipeline ransomware attack Health Service Executive ransomware attack Waikato District Health Board ransomware attack JBS S.A. ransomware attack Kaseya VSA ransomware attack Transnet ransomware attack Epik data breach FBI email hack National Rifle Association ransomware attack Banco de Oro hack
2022	Ukraine cyberattacks Red Cross data breach Anonymous and the Russian invasion of Ukraine Viasat hack DDoS attacks on Romania Costa Rican ransomware attack LastPass vault theft Shanghai police database leak Grand Theft Auto VI content leak
2023	Munster Technological University ransomware attack Evide data breach MOVEit data breach Insomniac Games data breach Polish railway cyberattack British Library cyberattack
2024	XZ Utils backdoor Kadokawa and Niconico Change Healthcare ransomware attack Ukrainian cyberattacks against Russia 2024 WazirX hack Trump campaign hack Fur Affinity domain hijacking IRLeaks attack on Iranian banks Internet Archive data breach

Groups

Individuals

Major vulnerabilities
publicly disclosed

SMBGhost (2020)
Thunderspy (2020)
PrintNightmare (2021)
FORCEDENTRY (2021)
Log4Shell (2021)
Account pre-hijacking (2022)
Retbleed (2022)
Downfall (2023)
LogoFAIL (2023)
Reptar (2023)
Terrapin (2023)
GoFetch (2024)
Sinkclose (2024)

Malware

2020	Adrozek Drovorub
2021	Predator
2022	Cyclops Blink Pipedream

Retrieved from "https://en.wikipedia.org/w/index.php?title=FORCEDENTRY&oldid=1263982080"

Exploit

Apple lawsuit

See also

References