From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
CVE identifier(s)
  • CVE-2021-30860
  • CVE-2021-30858
Date patchedSeptember 2021[1]
DiscovererBill Marczak from Citizen Lab[1]
Affected software

FORCEDENTRY, also capitalized as ForcedEntry, is a security exploit allegedly developed by NSO Group to deploy their Pegasus spyware.[2][3] It enables the "zero-click" exploit that is prevalent in iOS 13 and below, but also compromises recent safeguards set by Apple's "BlastDoor" in iOS 14 and later. In September 2021, Apple released new versions of its operating systems for multiple device families containing a fix for the vulnerability.[1][4]

The exploit was discovered by Citizen Lab,[2] who reported that the vulnerability has been used to target political dissidents and human rights activists.[5] FORCEDENTRY appears to be the same as the attack previously detected and named "Megalodon" by Amnesty International.[6]

The exploit uses PDF files disguised as GIF files to inject JBIG2-encoded data to provoke an integer overflow[7][8] in Apple's CoreGraphics system, circumventing Apple's "BlastDoor" sandbox for message content, introduced in iOS 14 to defend against KISMET, another zero-click exploit.[2][9][10] The FORCEDENTRY exploit has been given the CVE identifier CVE-2021-30860.[8] In December 2021, Google's Project Zero team published a technical breakdown of the exploit based on its collaboration with Apple’s Security Engineering and Architecture (SEAR) group.[11][12]

According to Citizen Lab, the FORCEDENTRY vulnerability exists in iOS versions prior to 14.8, macOS versions prior to macOS Big Sur 11.6 and Security Update 2021-005 Catalina, and watchOS versions prior to 7.6.2.[9]

Apple lawsuit[edit]

In November 2021, Apple Inc. filed a complaint against NSO Group and its parent company Q Cyber Technologies in the United States District Court for the Northern District of California in relation to FORCEDENTRY, requesting injunctive relief, compensatory damages, punitive damages, and disgorgement of profits.[13][14][15]

See also[edit]


  1. ^ a b c "Israeli spyware firm targeted Apple devices via iMessage, researchers say". the Guardian. 2021-09-13. Retrieved 2021-09-13.
  2. ^ a b c "Apple fixes iOS zero-day used to deploy NSO iPhone spyware". BleepingComputer (in American English). Retrieved 2021-09-14.
  3. ^ "Apple patches ForcedEntry vulnerability used by spyware firm NSO". Retrieved 2021-09-14.
  4. ^ "Apple products vulnerable to FORCEDENTRY zero-day attack – patch now!". Naked Security (in American English). 2021-09-14. Retrieved 2021-09-14.
  5. ^ "Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits". Citizenlab. 24 August 2021. Retrieved 24 August 2021.
  6. ^ "Bahrain targets activists with NSO's Pegasus spyware". IT PRO. Retrieved 2021-09-15.
  7. ^ Claburn, Thomas. "Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware". Retrieved 2021-09-15.
  8. ^ a b "About the security content of macOS Big Sur 11.6". Apple Support. Retrieved 2021-09-14.
  9. ^ a b "FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild". The Citizen Lab (in American English). 2021-09-13. Retrieved 2021-09-13.
  10. ^ "New iOS Zero-Click Exploit Defeats Apple 'BlastDoor' Sandbox". Retrieved 2021-09-14.
  11. ^ Beer, Ian; Groß, Samuel (2021-12-15). "Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution". Google Project Zero. Retrieved 2021-12-16.{{cite web}}: CS1 maint: url-status (link)
  12. ^ "Google Project Zero Goes Deep on FORCEDENTRY Exploit Used by NSO Group". 15 December 2021.
  13. ^ Kirchgaessner, Stephanie (2021-11-23). "Apple sues Israeli spyware firm NSO Group for surveillance of users". the Guardian. Retrieved 2021-11-23.{{cite web}}: CS1 maint: url-status (link)
  14. ^ "Apple sues NSO Group to curb the abuse of state-sponsored spyware". Apple Newsroom (in American English). 2021-11-23. Retrieved 2021-11-23.
  15. ^ "APPLE INC., v. NSO GROUP TECHNOLOGIES LIMITED, and Q CYBER TECHNOLOGIES LIMITED" (PDF). Retrieved 2021-11-23.{{cite web}}: CS1 maint: url-status (link)