Ian Beer publishes extensive write-up on FORCEDENTRY zero-click iMessage exploit used by NSO Group in Pegasus spyware

The iOS & iPadOS 14.8 update that Apple launched in mid-September was more than just a feature update. It also encompassed a fix for a considerably dangerous zero-click iMessage exploit dubbed FORCEDENTRY (CVE-2021-30860) that was being actively exploited by Israel’s NSO Group to target and surveil activists, journalists, and other high-profile occupations.

Today, renowned security researcher Ian Beer from Google Project Zero has, in collaboration with Samuel Groß, published a detailed write-up surrounding the FORCEDENTRY exploit, including an extensive description of the bug and how it works.

The FORCEDENTRY exploit came bundled in a piece of spyware that is now commonly referred to as Pegasus, and it effectively utilized a bug in CoreGraphics to bypass iOS & iPadOS 14’s BlastDoor iMessage protections, hence the clever name. Even more alarming is the realization that by receiving a maliciously crafted PDF document, a victim could have been left wide open to remote arbitrary code execution, permitting malware to run rampant on the their handset.

For those who don’t already know, Apple designed BlastDoor to work as an additional sandboxing system that would keep a user’s message-based communications secure from other components of the operating system. While Apple already sandboxes apps on the iPhone and iPad for this very purpose, BlastDoor was supposed to take things one step further, except at the time, the FORCEDENTRY exploit bypassed all that.

Apple later sued NSO Group since it was distributing the Pegasus spyware exclusively to target and victimize the company’s user base.

While the FORCEDENTRY bug certainly stirred up a lot of fear and ruckus among iPhone and iPad users at the time, it’s no longer a concern for anyone using iOS or iPadOS 14.8 and later. Even jailbreakers who would still be considered vulnerable to FORCEDENTRY on iOS or iPadOS 14.7.1 or earlier could have installed a jailbreak tweak dubbed FORCEDEXIT to remain safe from the bug as long as they were in a jailbroken state.

Many of the details about FORCEDENTRY would be vaguely familiar if you closely followed the Pegasus spyware story just a few months back, however you’re still likely appreciate Beer’s attention to detail as he dives deep into the issue and discusses the process of executing the exploit while addressing how it works and why.

Citing Beer’s own post, FORCEDENTRY was “one of the most technically sophisticated exploits we’ve ever seen,” so it’s definitely worth a read if you’re in the mood to learn something new about software security research.