FORCEDENTRY, also capitalized as ForcedEntry, is a
security exploit
An exploit is a method or piece of code that takes advantage of Vulnerability (computer security), vulnerabilities in software, Application software, applications, Computer network, networks, operating systems, or Computer hardware, hardware, typic ...
allegedly developed by
NSO Group
NSO Group Technologies (NSO standing for Niv, Shalev and Omri, the names of the company's founders) is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click surveillance ...
to deploy their
Pegasus spyware.
[ It enables the " zero-click" exploit that is prevalent in ]iOS 13
iOS 13 is the thirteenth major release of the iOS mobile operating system developed by Apple for the iPhone, iPod Touch and HomePod. The successor to iOS 12, it was announced at the company's Worldwide Developers Conference (WWDC) on June ...
and below, but also compromises recent safeguards set by Apple
An apple is a round, edible fruit produced by an apple tree (''Malus'' spp.). Fruit trees of the orchard or domestic apple (''Malus domestica''), the most widely grown in the genus, are agriculture, cultivated worldwide. The tree originated ...
's "BlastDoor" in iOS 14 and later. In September 2021, Apple released new versions of its operating systems for multiple device families containing a fix for the vulnerability.
Exploit
The exploit was discovered by Citizen Lab, who reported that the vulnerability has been used to target political dissidents and human rights activists. FORCEDENTRY appears to be the same as the attack previously detected and named "Megalodon" by Amnesty International
Amnesty International (also referred to as Amnesty or AI) is an international non-governmental organization focused on human rights, with its headquarters in the United Kingdom. The organization says that it has more than ten million members a ...
.
The exploit uses PDF
Portable document format (PDF), standardized as ISO 32000, is a file format developed by Adobe Inc., Adobe in 1992 to present documents, including text formatting and images, in a manner independent of application software, computer hardware, ...
files disguised as GIF
The Graphics Interchange Format (GIF; or , ) is a Raster graphics, bitmap Image file formats, image format that was developed by a team at the online services provider CompuServe led by American computer scientist Steve Wilhite and released ...
files to inject JBIG2-encoded data to provoke an integer overflow
In computer programming, an integer overflow occurs when an arithmetic operation on integers attempts to create a numeric value that is outside of the range that can be represented with a given number of digits – either higher than the maximu ...
in Apple's CoreGraphics system, circumventing Apple's "BlastDoor" sandbox
A sandbox is a sandpit, a wide, shallow playground construction to hold sand, often made of wood or plastic.
Sandbox or sand box may also refer to:
Arts, entertainment, and media
* Sandbox (band), a Canadian rock music group
* Sandbox (Gu ...
for message content. BlastDoor was introduced as part of iOS 14 to defend against KISMET, another zero-click exploit. The FORCEDENTRY exploit has been given the CVE identifier CVE-2021-30860.[ In December 2021, Google's Project Zero team published a technical breakdown of the exploit based on its collaboration with Apple’s Security Engineering and Architecture (SEAR) group.]
The exploit was described by Project Zero team:
JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gate
A logic gate is a device that performs a Boolean function, a logical operation performed on one or more binary inputs that produces a single binary output. Depending on the context, the term may refer to an ideal logic gate, one that has, for ...
s operating on arbitrary memory
Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembe ...
. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript
JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior.
Web browsers have ...
, but it's fundamentally computationally equivalent.
The bootstrapping operations for the sandbox
A sandbox is a sandpit, a wide, shallow playground construction to hold sand, often made of wood or plastic.
Sandbox or sand box may also refer to:
Arts, entertainment, and media
* Sandbox (band), a Canadian rock music group
* Sandbox (Gu ...
escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying.
According to Citizen Lab, the FORCEDENTRY vulnerability exists in iOS versions prior to 14.8, macOS
macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...
versions prior to macOS Big Sur
macOS Big Sur (version 11) is the seventeenth software versioning, major release of macOS, Apple Inc., Apple's operating system for Macintosh computers. It was announced at Apple's Worldwide Developers Conference (WWDC) on June 22, 2020, and w ...
11.6 and Security Update 2021-005 Catalina, and watchOS
watchOS is the operating system of the Apple Watch, developed by Apple Inc., Apple. It is based on iOS, the operating system used by the iPhone, and has many similar features. It was released on April 24, 2015, along with the Apple Watch, the o ...
versions prior to 7.6.2.[
]
Apple lawsuit
In November 2021, Apple Inc. filed a complaint against NSO Group and its parent company Q Cyber Technologies in the United States District Court for the Northern District of California in relation to FORCEDENTRY, requesting injunctive relief, compensatory damages, punitive damages, and disgorgement of profits but in 2024 asked the court to dismiss the lawsuit.
See also
* iMessage
References
{{Hacking in the 2020s
Spyware
Privilege escalation exploits
MacOS malware