Google Project Zero’s (GPZ) Ian Beer and Samuel Groß have shared details on a new exploit developed by the NSO Group that allows users (high-profile clients) of its software to access any iPhone and install spyware even when the victim doesn’t click a link.
“The capabilities NSO provides rival those previously thought to be accessible to only a handful of nation-states,”
Google’s researchers noted.
The information on the exploit, dubbed FORCEDENTRY, was shared by Citizen Lab and Apple’s Security Engineering and Architecture (SEAR) group collaborated with the Google Project Zero team for technical analysis.
Wow. Just wow. This NSO zero-click iMessage exploit is the most impressive attack code I’ve ever seen. A whole computer architecture built out of a few logic operators… in an EXPLOIT!
The talent of the individuals who came up and developed this technique is beyond impressive https://t.co/X3nVli3bOC
— Dmitri Alperovitch (@DAlperovitch) December 16, 2021
GPZ’s Analysis
According to GPZ, the new Zero-Click exploit that affects iOS version 14.7.1 and earlier is one of the most “technically sophisticated exploits we’ve ever seen.”
Beer and Groß stated that this exploit is “incredible and terrifying” because it generates an unusually emulated computer environment in an iOS component that handles GIFs and normally doesn’t support scripting capabilities.
SEE: Ex-employee stole secrets of Israeli spyware firm NSO for dark web deals
Furthermore, an attacker can run a code that resembles JavaScript in that component to write to arbitrary memory locations. This issue was reported to GPZ by Citizen Lab, which shared a sample of the NSO Group’s iMessage-based zero-click exploit for Google to analyze.
Apple Growing Wary of NSO Group’s Products
In November 2021, Apple sued the NSO and filed for a permanent ban on all kinds of software developed by the Group and its services and devices.
Additionally, Canadian firm Citizen Lab’s security researchers had previously identified a memory corruption bug (CVE-2021-30860) in joint research conducted with Amnesty International. The bug allowed a remote attacker to process a maliciously crafted PDF exposing Apple devices to arbitrary code execution.
The researchers identified the bug in the CoreGraphics component of the iOS 14.8 in September 2021 while analyzing Pegasus mobile spyware package from NSO Group. This software can be installed after executing an exploit to jailbreak the iPhone. This bug was later patched by Apple however on December 6th, it was reported that iPhones of 9 State Dept officials were hijacked with the help of NSO Pegasus spyware.
The Problem with Apple GIF Images Features
It must be noted that according to GPZ, the zero-click exploit allows Pegasus to enter an iPhone through iMessage and does not require victims to click any link, unlike its previous trick in which victims had to click links received through text messages. With zero-click exploit, victims can be targeted with just their phone number or AppleID username.
Further, the iMessage gets exposed to spyware due to weaknesses in Apple-enabled GIF images’ additional features. Apple utilizes a Fake GIF technique in the ImageIO library of its iOS to encourage endless looping of standard GIF images.
On the other hand, NSO exploits the Fake GIF trick for targeting the vulnerability in the CoreGraphics PDF parser. This trick also introduces more than twenty new image codecs, which provide attackers with a broader attack surface.
“The CoreGraphics PDF parser doesn’t seem to interpret javascript, but NSO managed to find something equally powerful inside the CoreGraphics PDF parser…” GPZ report readS.
US Government Banned NSO Group
It is worth noting that the US Department of Commerce included the NSO Group in the “Entity List” and banned its products from entering the US markets because the company deployed spyware to foreign governments that targeted US businesses, journalists, government officials, activists, embassy workers, and academics for spying.