by Ryan Naraine at Security Week
Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that included a PDF file pretending to be a GIF image with a custom-coded virtual CPU built out of boolean pixel operations.
If that makes you scratch your head, that was exactly the reaction from Google’s premier security research team after disassembling the so-called FORCEDENTRY iMessage zero-click exploit used to plant NSO Group’s Pegasus surveillance tool on iPhones.
“We assess this to be one of the most technically sophisticated exploits we’ve ever seen,” Google’s Ian Beer and Samuel Groß wrote in a technical deep-dive into the remote code execution exploit that was captured during an in-the-wild attack on an activist in Saudi Arabia.
Google said it received a sample of the exploit from Citizen Lab and collaborated with Cupertino’s usually secretive Security Engineering and Architecture (SEAR) group on a technical analysis that discovered a head-scratching array of technical sophistication in an exploit platform sold to governments around the world.
The researchers said the sophistication of the exploit is confirmation that hackers at the Israel-based NSO Group have technical expertise and resources to rival those previously thought to be accessible to only a handful of nation states.
[ READ: Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation ]
Apple shipped a patched for the FORCEDENTRY zero-day (CVE-2021-30860) in September this year after Citizen Lab documented an iOS zero-click exploit for iMessage that bypassed Apple’s ‘BlastDoor’ sandbox to plant the Pegasus spyware on iPhones. Citizen Lab said the FORCEDENTRY exploit was used to plant the Pegasus malware on the iPhones of nine Bahrani human rights activists between June 2020 and February 2021.
In its breakdown, Project Zero said the exploit effectively created “a weapon against which there is no defense,” noting that zero-click exploits work silently in the background and does not even require the target to click on a link or surf to a malicious website. “Short of not using a device, there is no way to prevent exploitation by a zero-click exploit,” the research team said.
The researchers confirmed the initial entry point for Pegasus was Apple’s proprietary iMessage that ships by default on iPhones, iPads and macOS devices. By targeting iMessage, the NSO Group hackers needed only a phone number of an AppleID username to take aim and fire eavesdropping implants.
Because iMessage has native support for GIF images (especially those that loop endlessly), Project Zero’s researchers found that this expanded the attack surface and ended up being abused in an exploit cocktail that targeted a security defect in Apple’s CoreGraphics PDF parser.
[ READ: New iOS Zero-Click Exploit Defeats Apple ‘BlastDoor’ Sandbox ]
Within Apple’s CoreGraphics PDF parser, the NSO exploit writers abused Apple’s implementation of the open-source JBIG2, a domain specific image codec designed to compress images where pixels can only be black or white.
Describing the exploit as “pretty terrifying,”…
Continue Reading