News

Just Looking at That Message Could Compromise Your Device

That lovely photo is more than just a photo.

main learning point

  • Analyzing the eavesdropping scandal uncovered by Citizen Lab, security researchers at Google have discovered a new attack mechanism called a zero-click vulnerability.
  • Traditional security tools, such as antivirus programs, cannot block security breaches with one click.
  • Apple has blocked one, but researchers are concerned that there will be many more no-click exploits in the future.

Screen Publishing / Unspalsh.com

Following security best practices is considered a smart way to keep devices like laptops and smartphones safe, or until researchers discover new tricks that are nearly undetectable.

While analyzing a vulnerability recently fixed by Apple to install Pegasus spyware on specific targets, security researchers at Google’s Project Zero discovered an innovative new attack mechanism they call a “zero-click vulnerability” that any mobile antivirus Software can’t stop it.

“There is no way to prevent exploitation through a ‘no-click attack’ other than not using the device; it’s an indefensible weapon,” Google Project Zero engineers Ian Beer and Samuel Gross said in a blog post .

frankenstein monster

Pegasus spyware is the brainchild of Israeli tech company NSO Group, which has now been added to the US “entity list”, essentially excluding it from the US market.

“It’s not clear what a reasonable privacy statement is on a cell phone, we often make very private calls in public places. But we certainly don’t want anyone listening to our calls, although that’s what Pegasus allows people to do,” Cyber ​​Security Saryu Nayyar, CEO of the company Gurucul, explained in an email to Lifewire.

“As end users, we must always be careful when opening messages from unknown or untrusted sources, no matter how appealing the subject or message…”

Pegasus spyware rose to prominence in July 2021, when Amnesty International revealed it was used to spy on journalists and human rights activists around the world.

This was followed by the August 2021 disclosure by Citizen Lab researchers that they found evidence that nine Bahraini militants were targeted by bypassing the latest known security measures in iOS 14, collectively known as BlastDoor. iPhone 12 Pros were spied.

Apple even filed a lawsuit against NSO Group, saying it was responsible for bypassing the iPhone’s security mechanisms and monitoring Apple users through Pegasus spyware.

“State-sponsored actors like the NSO Group spend millions of dollars purchasing advanced surveillance technology without effective accountability. This must change,” said Craig Federer, Apple’s senior vice president of software engineering Ji said in a press release about the lawsuit.

In a two-part Google Project Zero post, Beer and Groß explain how the NSO Group used a zero-click attack mechanism to introduce Pegasus spyware into a target’s iPhone, which they describe as incredible and terrifying.

A zero-click vulnerability is exactly what it sounds like: the victim doesn’t have to click or tap anything to be attacked. Instead, just look at emails or messages that contain malicious malware and you can install it on your device.

Close-up of message on smartphone.

Jamie Street / Unsplash.com

impressive and dangerous

According to the researchers, the attack started with malicious messages in the iMessage app. To help us crack the hackers’ rather sophisticated attack methods, Lifewire enlisted the help of independent security researcher Devanand Premkumar.

Premkumar explained that iMessage has several built-in mechanisms for handling animated .gif files. One of the methods uses a library called ImageIO to check for specific file formats. Hackers use a “bad trick” to gain access to a target iPhone by exploiting a weakness in the underlying support library CoreGraphics.

“As end users, we must always be careful when accessing messages from unknown or untrusted sources, no matter how compelling the subject or message, as it is being used as the primary access point for mobile phones,” Premkumar said in an email told Lifewire. -mail.

Premkumar added that currently known attack mechanisms only work on iPhones, while reviewing the steps Apple has taken to eliminate current vulnerabilities. But while the current attack is decreasing, the attack mechanism opens a Pandora’s box.

Closeup of app page on red iPhone with large numbers in email badge.

Sara Kurfeß / Unsplash

“Zero-click exploits aren’t going away anytime soon. More and more of these exploits will be tested and deployed against high-profile targets for sensitive and valuable data that can be extracted from exploited users’ phones,” Premkumar said.

Meanwhile, in addition to the lawsuit against the NSO, Apple has decided to provide Citizen Lab researchers with free technical, threat intelligence, and technical support, and has pledged to provide the same support to other organizations doing critical work in this area.

In addition, the company donated $10 million and all damages awarded in the lawsuit to support organizations involved in defending and investigating online surveillance abuses.

Content

Just Looking at That Message Could Compromise Your Device

That cute picture might be more than an image

Key Takeaways
Analyzing the spying scandal uncovered by Citizen Lab, Google security researchers have discovered a novel attack mechanism known as a zero-click exploit.
Traditional security tools like antivirus cannot prevent zero-click exploits.
Apple has stopped one, but researchers fear there will be more zero-click exploits in the future.
Screen Post / Unspalsh.com

Following security best practices is considered a prudent course of action for keeping devices like laptops and smartphones safe, or it was until researchers discovered a new trick that is virtually undetectable.

As they dissect the recently patched Apple bug that was used to install the Pegasus spyware on specific targets, security researchers from Google’s Project Zero have discovered an innovative new attack mechanism they’ve dubbed a “zero-click exploit,” that no mobile antivirus can foil. 

“Short of not using a device, there is no way to prevent exploitation by a ‘zero-click exploit;’ it’s a weapon against which there is no defense,” claimed Google Project Zero engineers Ian Beer & Samuel Groß in a blog post.  

Frankenstein’s Monster

The Pegasus spyware is the brainchild of the NSO Group, an Israeli technology firm that has now been added to the US “Entity List,” which essentially blocklists it from the US market.

“It’s not clear what a reasonable explanation of privacy is on a cell phone, where we often make highly personal calls in public places.  But we certainly don’t expect someone to listen in on our phone, though that’s what Pegasus enables people to do,” explained Saryu Nayyar, CEO of cybersecurity company Gurucul, in an email to Lifewire.

“As end-users, we should always be cautious about opening messages from unknown or untrusted sources, no matter how enticing the subject or message be…”

The Pegasus spyware came into the limelight in July 2021, when Amnesty International revealed that it was used to spy on journalists and human rights activists worldwide. 

This was followed by a revelation from researchers at Citizen Lab in August 2021, after they found evidence of surveillance on iPhone 12 Pro’s of nine Bahraini activists through an exploit that evaded the latest security protections in iOS 14 collectively known as BlastDoor.

In fact, Apple has filed a lawsuit against the NSO Group, holding it accountable for circumventing iPhone security mechanisms to surveil Apple users via its Pegasus spyware.

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering, in the press release about the lawsuit.

In the two-part Google Project Zero post, Beer and Groß explained how the NSO Group got the Pegasus spyware onto the iPhones of the targets using the zero-click attack mechanism, which they described as both incredible and terrifying.

A zero-click exploit is exactly what it sounds like—the victims don’t need to click or tap anything to be compromised. Instead, simply viewing an email or message with the offending malware attached allows it to install on the device.

Jamie Street / Unsplash.com
Impressive and Dangerous

According to the researchers, the attack begins through a nefarious message on the iMessage app. To help us break down the rather complex attack methodology devised by the hackers, Lifewire enlisted the help of independent security researcher Devanand Premkumar.

Premkumar explained that iMessage has several in-built mechanisms to handle animated .gif files. One of these methods checks the specific file format using a library named ImageIO. The hackers used a ‘gif trick’ to exploit a weakness in the underlying support library, called CoreGraphics, to gain access to the target iPhone. 

“As end-users, we should always be cautious about opening messages from unknown or untrusted sources, no matter how enticing the subject or message be, as that is being used as the primary entry point into the mobile phone,” Premkumar advised Lifewire in an email.  

Premkumar added that the current attack mechanism is only known to work on iPhones as he ran through the steps Apple has taken to defang the current vulnerability. But while the current attack has been curtailed, the attack mechanism has opened Pandora’s box.

Sara Kurfeß / Unsplash

“Zero-click exploits are not going to die anytime soon. There will be more and more of such zero-click exploits tested and deployed against high profile targets for the sensitive and valuable data which can be extracted from such exploited users’ mobile phones,” said Premkumar. 

Meanwhile, in addition to the lawsuit against NSO, Apple has decided to provide technical, threat intelligence, and engineering assistance to the Citizen Lab researchers pro-bono and has promised to offer the same assistance to other organizations doing critical work in this space. 

Additionally, the company has gone to the extent of contributing $10 million, as well as all the damages awarded from the lawsuit to support organizations involved in the advocacy and research of cyber-surveillance abuses.

#Message #Compromise #Device

Tài Chính Kinh Doanh

Business Finance - Synthesize economic and financial news, market price news, insurance news.... Start-up investment opportunities, business cooperation and loan guidance. #taichinhbusiness #taichinh #tintuctaichinh #tintucbaohiem Contact Info: Website: https://taichinhquangdoanh.info/ Mail: Address: 63-47 To Hien Thanh Ward, Le Dai Hanh, Hai Ba Trung, Hanoi, Vietnam

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *

Back to top button