Pegasus spyware hacking: Reports show latest iPhones with iOS 14 can be hacked with zero-click iMessage exploit

Pegasus spyware-making Israeli company, NSO Group, has found itself in dire straits again. The software was used to snoop on a large set of people, as their mobile numbers were found in a leaked database. NSO Group's spyware is already notorious for giving backdoors to the mobile phones of the targeted entities. Both Android and the iPhone are the targets, but the latter is easier to be put on surveillance through Pegasus. And, according to a report, Apple's zero-click exploit on iMessage made this job far easier.

Amnesty International, which unearthed the leaked database in collaboration with Pegasus Project, which is a consortium of news organisations that have seen the leaked database, has refuted NSO Group's claims that Pegasus is used to investigate crime and terrorism-related cases and that it does not leave any traces. Amnesty International's Security Lab carried out an in-depth forensic analysis of several mobile phones of human rights defenders and journalists from around the world to find out that Pegasus's surveillance is not just a violation of user privacy, it also goes against human rights.

According to the forensic methodology report by Amnesty, Apple's iPhone is the easiest to snoop on using the Pegasus software. The leaked database shows that iPhones running iOS 14.6 contain a zero-click iMessage exploit and this exploit could have been used to install Pegasus software on the iPhone devices of the targeted entities. This exploit was discovered by Citizen Labs previously. It was known as KISMET and it allowed the installation of Pegasus software for the purpose of complete surveillance. The exploit was patched through an urgent software update that Apple released, but it seems like the exploit remains dormant until a zero-click is fired.

Citizen Lab's researcher Bill Marczak said that Apple has a major problem with iMessage's security even after the patch, which brought the BlastDoor Framework as a part of the iOS 14 update. Apple's BlastDoor Framework is supposed to make zero-click exploitation more difficult, thereby making the installation of the Pegasus spyware. However, the BlastDoor Framework may not be working as intended. Case in point: the fresh Pegasus surveillance scandal, which involves not just prominent journalists from around the globe, but also ministers and other high-profile entities. The researcher has noted that the spyware installed through zero-click exploits is no longer "persistent".

According to Marczak, Apple using just sandboxing on iMessage does not solve what BlastDoor Framework should ideally. This means that whatever properties that BlastDoor has are kind of weakened by the sandboxing process, giving access to zero-click exploits. "How about: "don't automatically run extremely complex and buggy parsing on data that strangers push to your phone?!"" said Marczak in a tweet. The leaked database of the targeted iPhones has call logs and it was possible for Pegasus to retrieve them using an exploit in the ImageIO in iOS 13 and iOS 14 by parsing JPEG and GIF images. Marczak said that there have been "a dozen" high-severity bugs in Apple's ImageIO.

Pegasus has raised several questions, more so when the clients using it involve governments from all around the world. WhatsApp has already slammed NSO Group for providing tools that make privacy a severely unimportant aspect. But a bigger question looms over Apple's claims that it has time and again made to show how iPhones are the epitome of user privacy. If a single zero-click exploit could have allowed mass surveillance, imagine what other vulnerabilities could do. Apple has not said anything about the incident yet.